Return-Path: 
 <dev-return-17070-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-dev-archive@www.apache.org
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id D236F6732
	for <apmail-couchdb-dev-archive@www.apache.org>;
 Wed,  6 Jul 2011 14:50:29 +0000 (UTC)
Received: (qmail 68287 invoked by uid 500); 6 Jul 2011 14:50:29 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 68203 invoked by uid 500); 6 Jul 2011 14:50:28 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 68195 invoked by uid 99); 6 Jul 2011 14:50:28 -0000
Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jul 2011 14:50:28 +0000
Received: from localhost (HELO mail-iw0-f180.google.com) (127.0.0.1)
  (smtp-auth username rnewson, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP;
 Wed, 06 Jul 2011 14:50:28 +0000
Received: by iwn9 with SMTP id 9so13245948iwn.11
        for <dev@couchdb.apache.org>; Wed, 06 Jul 2011 07:50:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.74.18 with SMTP id s18mr7806108ibj.135.1309963827582; Wed,
 06 Jul 2011 07:50:27 -0700 (PDT)
Received: by 10.231.146.80 with HTTP; Wed, 6 Jul 2011 07:50:27 -0700 (PDT)
In-Reply-To: 
 <CAKmKYaCUMMKr9mA6ssDVHyzcx+hueBdaOSgBCcrZr603Ci=R8A@mail.gmail.com>
References: 
 <CABvT1DFkZHWMZ15DCVQiedy9+GdgCtXhMtY-8qfPq35bmeHOsw@mail.gmail.com>
	<CAKmKYaCUMMKr9mA6ssDVHyzcx+hueBdaOSgBCcrZr603Ci=R8A@mail.gmail.com>
Date: Wed, 6 Jul 2011 15:50:27 +0100
Message-ID: 
 <CABvT1DH7jyvX1H95a+jqheg64PN1Y8AVuQCg7UoC9wC1+3ZjYA@mail.gmail.com>
Subject: Re: Improving password hashing.
From: Robert Newson <rnewson@apache.org>
To: dev@couchdb.apache.org
Content-Type: text/plain; charset=ISO-8859-1

Because PBKDF2 has been designed and tested by cryptographers and is
fully described in RFC 2898 which includes test vectors to verify an
implementation. bcrypt is tied to a now obsolete cipher (blowfish), I
don't know anything much about scrypt but anyone can claim they
designed it to be more secure, but proving it is another matter.

B.

On 6 July 2011 15:43, Dirkjan Ochtman <dirkjan@ochtman.nl> wrote:
> On Wed, Jul 6, 2011 at 14:43, Robert Newson <rnewson@apache.org> wrote:
>> Some time ago I wrote some code to implement the PBKDF2 protocol. This
>> is a cryptographically sound means of deriving a key from a password.
>
> Why is this better than stuff like bcrypt or scrypt? The page for the
> latter, at least, states that it "is designed to be far more secure
> against hardware brute-force attacks than alternative functions such
> as PBKDF2".
>
> Cheers,
>
> Dirkjan
>