couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <>
Subject Re: Improving password hashing.
Date Wed, 06 Jul 2011 14:50:27 GMT
Because PBKDF2 has been designed and tested by cryptographers and is
fully described in RFC 2898 which includes test vectors to verify an
implementation. bcrypt is tied to a now obsolete cipher (blowfish), I
don't know anything much about scrypt but anyone can claim they
designed it to be more secure, but proving it is another matter.


On 6 July 2011 15:43, Dirkjan Ochtman <> wrote:
> On Wed, Jul 6, 2011 at 14:43, Robert Newson <> wrote:
>> Some time ago I wrote some code to implement the PBKDF2 protocol. This
>> is a cryptographically sound means of deriving a key from a password.
> Why is this better than stuff like bcrypt or scrypt? The page for the
> latter, at least, states that it "is designed to be far more secure
> against hardware brute-force attacks than alternative functions such
> as PBKDF2".
> Cheers,
> Dirkjan

View raw message