incubator-couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Newson <rnew...@apache.org>
Subject Re: Improving password hashing.
Date Wed, 06 Jul 2011 14:51:47 GMT
To benoitc's point, we could switch sha256 in for sha1 as soon as it's
available in an OTP release.

B.

On 6 July 2011 15:50, Robert Newson <rnewson@apache.org> wrote:
> Because PBKDF2 has been designed and tested by cryptographers and is
> fully described in RFC 2898 which includes test vectors to verify an
> implementation. bcrypt is tied to a now obsolete cipher (blowfish), I
> don't know anything much about scrypt but anyone can claim they
> designed it to be more secure, but proving it is another matter.
>
> B.
>
> On 6 July 2011 15:43, Dirkjan Ochtman <dirkjan@ochtman.nl> wrote:
>> On Wed, Jul 6, 2011 at 14:43, Robert Newson <rnewson@apache.org> wrote:
>>> Some time ago I wrote some code to implement the PBKDF2 protocol. This
>>> is a cryptographically sound means of deriving a key from a password.
>>
>> Why is this better than stuff like bcrypt or scrypt? The page for the
>> latter, at least, states that it "is designed to be far more secure
>> against hardware brute-force attacks than alternative functions such
>> as PBKDF2".
>>
>> Cheers,
>>
>> Dirkjan
>>
>

Mime
View raw message