All geek questions in one place

What password hashing method should I use?

This question made me think about password hashing again. I am currently using bcrypt (specifically py-bcrypt). I heard a lot about PBKDF2 and encrypted.

I am wondering if there are any “more modern” methods for hashing passwords that I might not know about (because they are new, so people don’t talk about them so much), or maybe I don’t know other methods.

And then, from there, which one should I use? Most people seem to recommend bcrypt, but I wonder if this is simply because it is old (read: well known). scrypt looks better (variable memory usage). I do not know much about PBKDF2.

So, if I create a user management scheme, which one should I use? Or should I use something completely different?

+6
source share
1 answer

PBKDF2 is used in WPA / WPA2 and Domain Cached Credentials 2 (AKA DCC2). You can change iterations for the HMAC-SHA1 to increase security. This method of slowing down the hacking process is not interrupted. However, since it is based on SHA1, you can call it GPU-friendly for attack.

Both, bcrypt and scrypt , use a lookup table. This memory dependency makes it GPU-unfriendly. However, the latest 28-inch GPU architectures, however, again activate very fast memory access.

You should now approve bcrypt or scrypt. This is a good choice for using memory-dependent hashes, but this may change in the future. Watch how the performance of GPU crackers increases. It is possible that they will reach the event horizon, on which it would be better to switch to the simple use of hashes other than the GPU, but increase their number of iterations.

+6
source

Source: https://habr.com/ru/post/906738/

More articles:


All Articles