Return-Path: 
 <dev-return-17071-apmail-couchdb-dev-archive=couchdb.apache.org@couchdb.apache.org>
X-Original-To: apmail-couchdb-dev-archive@www.apache.org
Delivered-To: apmail-couchdb-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 941BD6780
	for <apmail-couchdb-dev-archive@www.apache.org>;
 Wed,  6 Jul 2011 14:51:49 +0000 (UTC)
Received: (qmail 70796 invoked by uid 500); 6 Jul 2011 14:51:49 -0000
Delivered-To: apmail-couchdb-dev-archive@couchdb.apache.org
Received: (qmail 70729 invoked by uid 500); 6 Jul 2011 14:51:48 -0000
Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@couchdb.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@couchdb.apache.org>
List-Post: <mailto:dev@couchdb.apache.org>
List-Id: <dev.couchdb.apache.org>
Reply-To: dev@couchdb.apache.org
Delivered-To: mailing list dev@couchdb.apache.org
Received: (qmail 70721 invoked by uid 99); 6 Jul 2011 14:51:48 -0000
Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jul 2011 14:51:48 +0000
Received: from localhost (HELO mail-iw0-f180.google.com) (127.0.0.1)
  (smtp-auth username rnewson, mechanism plain)
  by minotaur.apache.org (qpsmtpd/0.29) with ESMTP;
 Wed, 06 Jul 2011 14:51:48 +0000
Received: by iwn9 with SMTP id 9so13248116iwn.11
        for <dev@couchdb.apache.org>; Wed, 06 Jul 2011 07:51:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.171.196 with SMTP id k4mr9096038icz.225.1309963907546; Wed,
 06 Jul 2011 07:51:47 -0700 (PDT)
Received: by 10.231.146.80 with HTTP; Wed, 6 Jul 2011 07:51:47 -0700 (PDT)
In-Reply-To: 
 <CABvT1DH7jyvX1H95a+jqheg64PN1Y8AVuQCg7UoC9wC1+3ZjYA@mail.gmail.com>
References: 
 <CABvT1DFkZHWMZ15DCVQiedy9+GdgCtXhMtY-8qfPq35bmeHOsw@mail.gmail.com>
	<CAKmKYaCUMMKr9mA6ssDVHyzcx+hueBdaOSgBCcrZr603Ci=R8A@mail.gmail.com>
	<CABvT1DH7jyvX1H95a+jqheg64PN1Y8AVuQCg7UoC9wC1+3ZjYA@mail.gmail.com>
Date: Wed, 6 Jul 2011 15:51:47 +0100
Message-ID: 
 <CABvT1DHOjFrD41kOhjd6pwPSQnnjR=S3f6oQbSwSS_0=Qxrw1A@mail.gmail.com>
Subject: Re: Improving password hashing.
From: Robert Newson <rnewson@apache.org>
To: dev@couchdb.apache.org
Content-Type: text/plain; charset=ISO-8859-1

To benoitc's point, we could switch sha256 in for sha1 as soon as it's
available in an OTP release.

B.

On 6 July 2011 15:50, Robert Newson <rnewson@apache.org> wrote:
> Because PBKDF2 has been designed and tested by cryptographers and is
> fully described in RFC 2898 which includes test vectors to verify an
> implementation. bcrypt is tied to a now obsolete cipher (blowfish), I
> don't know anything much about scrypt but anyone can claim they
> designed it to be more secure, but proving it is another matter.
>
> B.
>
> On 6 July 2011 15:43, Dirkjan Ochtman <dirkjan@ochtman.nl> wrote:
>> On Wed, Jul 6, 2011 at 14:43, Robert Newson <rnewson@apache.org> wrote:
>>> Some time ago I wrote some code to implement the PBKDF2 protocol. This
>>> is a cryptographically sound means of deriving a key from a password.
>>
>> Why is this better than stuff like bcrypt or scrypt? The page for the
>> latter, at least, states that it "is designed to be far more secure
>> against hardware brute-force attacks than alternative functions such
>> as PBKDF2".
>>
>> Cheers,
>>
>> Dirkjan
>>
>