Home page logo

oss-sec logo oss-sec mailing list archives

password hashing
From: Solar Designer <solar () openwall com>
Date: Sun, 7 Oct 2012 02:50:34 +0400


I was too shy to spam oss-security with this, but a list member (who is
also on Openwall's announce list) asked me to.  Armed with this excuse,
let me tell you that I made two presentations on password hashing this
year.  It's everything you wanted to know about password hashing since
1960s to present day and the near future, and more. ;-)

Password security: past, present, future
(with strong bias towards password hashing)

Password hashing at scale
(for Internet companies with millions of users)

Discussion of the latter at /r/crypto:

and on john-users (click "thread-next"):
(I intend to reply to the questions raised further in that thread.)

SHA-3 is deliberately not mentioned on the slides yet.  I briefly
thought of retroactively adding a few mentions of it (YaC 2012 was a day
too early), but decided not to.  SHA-3 should be similar to DES (read:
very good) in context of possible defensive use of FPGAs.  As to
PBKDF2-HMAC-SHA-3, things are less clear, although it's probably weaker
than PBKDF2-HMAC-SHA-512 (is it also weaker than -SHA-256? than -SHA-1?
not sure).  (In this context, "weaker" means it allows for even more
efficient attack-optimized implementations than the other hash type,
resulting in higher passwords tested per second rate for the same
processing cost of defensive use.)  I prefer to keep only fairly
reliable information on the slides, and not speculate on important
issues there (but I do speculate here, as you can see).  Those of you
who follow @solardiz on Twitter probably already know a bit more on my
expectations and reasoning for throughput-optimized parallelized
implementations of SHA-3, due to the too-many-tweet conversation I had
with @marshray. ;-)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]