apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Choosing a stronger password hash algorithm
Date Mon, 02 Jul 2012 19:46:19 GMT
On Monday 02 July 2012, Ben Laurie wrote:
> FWIW, I am not super-keen on this particular move. Whilst bcrypt is
> certainly an improvement, I am wary of relying on Blowfish - it is
> not a mainstream cipher and is not subject to the kind of scrutiny
> that, say, AES or SHA-2/3 are.
> 
> If we are going to change, then we should change to a mechanism
> that is subject to ongoing cryptanalysis.


bcrypt has the advantage that it currently does not give much speed-up 
of GPUs versus CPUs. So brute-forcing is more difficult than e.g. for 
glibc's sha256 or sha512 based algorithms. And we can't just 
arbitrarily increase the number of rounds because that would make 
httpd prone to DoS attacks. My rationale for bcrypt is here:

http://mail-archives.apache.org/mod_mbox/apr-
dev/201206.mbox/%3C201206232242.42669.sf%40sfritsch.de%3E

Your comments on that would be welcome.

Due to Poul-Henning Kamp's declaration that md5crypt is insecure, 
there is some renewed interest in this field. Maybe there will be a 
new algorithm soon that is both difficult to brute-force on GPUs and 
based on something standard like AES or SHA*.

Maybe we could add bcrypt for now and if something better appears, 
then add that as well?

Cheers,
Stefan

Mime
View raw message