Password Hashes, Again
Max Kanat-Alexander
mkanat at bugzilla.org
Mon Apr 16 06:05:52 UTC 2012
On 04/13/2012 03:19 AM, Frédéric Buclin wrote:
> It's interesting to see that the author of this post suddenly stops
> giving numbers when talking about salted-passwords.
He explains that salting them doesn't matter, because he's talking
about brute-force numbers. It would take exactly the same amount of time
to brute-force our salted hashes as it would to brute-force unsalted
hashes. Salting is only to stop rainbow tables, which (as the author
points out) are now less practical than brute force.
> The other reference, bcrypt, seems to be weaker than scrypt against
> brute-force attacks. So we shouldn't jump in the game too quickly.
bcrypt has been around for a long time and is not possible to implement
on GPUs. scrypt is a newer effort by the same authors and is not as well
tested but is theoretically safer.
-Max
--
Max Kanat-Alexander
Chief Architect, Community Lead, and Release Manager
Bugzilla Project
http://www.bugzilla.org/
More information about the developers
mailing list