<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body text="#000000" bgcolor="#ffffff">
    I think the convential wisdom to use a SHA-2/salted/iterated hash
    for password storage is just wrong. Here is a solid article that
    discuses why.<br>
    <br>
    <a href="http://codahale.com/how-to-safely-store-a-password/">http://codahale.com/how-to-safely-store-a-password/</a><br>
    <br>
    Thoughts?<br>
    <span class="Apple-style-span" style="border-collapse: separate;
      color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-style:
      normal; font-variant: normal; font-weight: normal; letter-spacing:
      normal; line-height: normal; orphans: 2; text-indent: 0px;
      text-transform: none; white-space: normal; widows: 2;
      word-spacing: 0px; font-size: medium;"><span
        class="Apple-style-span" style="font-family: 'Sabon Lt
        Std','Hoefler Text','Palatino Linotype','Book Antiqua',serif;
        font-size: large;">
        <h2 class="post-title" style="font-size: 22px; margin-bottom:
          0px;"><a
            href="http://codahale.com/how-to-safely-store-a-password/"
            style="text-decoration: none; color: rgb(0, 0, 0);">How To
            Safely Store A Password</a></h2>
        <p class="date" style="width: 30em; margin-left: 5px;
          font-style: italic; margin-top: 0px; font-size: small;">31 Jan
          2010</p>
        <h2 style="font-size: 22px;">Why Not {<code style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;">MD5</code>,<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;">SHA1</code>,<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;">SHA256</code>,<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;">SHA512</code>,<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;">SHA-3</code>,
          etc}?</h2>
        <p style="width: 30em; margin-left: 5px;">These are all<span
            class="Apple-converted-space">&nbsp;</span><em>general purpose</em><span
            class="Apple-converted-space">&nbsp;</span>hash functions,
          designed to calculate a digest of huge amounts of data in as
          short a time as possible. This means that they are fantastic
          for ensuring the integrity of data and utterly rubbish for
          storing passwords.</p>
        <p style="width: 30em; margin-left: 5px;">A modern server can
          calculate the MD5 hash of about<span
            class="Apple-converted-space">&nbsp;</span><a
            href="http://www.cryptopp.com/benchmarks-amd64.html">330MB
            every second</a>. If your users have passwords which are
          lowercase, alphanumeric, and 6 characters long, you can try<span
            class="Apple-converted-space">&nbsp;</span><em>every single
            possible password of that size</em><span
            class="Apple-converted-space">&nbsp;</span>in around<span
            class="Apple-converted-space">&nbsp;</span><strong>40 seconds</strong>.</p>
        <p style="width: 30em; margin-left: 5px;">And that&#8217;s without
          investing anything.</p>
        <p style="width: 30em; margin-left: 5px;">If you&#8217;re willing to
          spend about 2,000 USD and a week or two picking up<span
            class="Apple-converted-space">&nbsp;</span><a
            href="http://www.nvidia.com/object/cuda_home.html">CUDA</a>,
          you can put together your own little supercomputer cluster
          which will let you<span class="Apple-converted-space">&nbsp;</span><a
            href="http://www.win.tue.nl/cccc/sha-1-challenge.html">try
            around 700,000,000 passwords a second</a>. And that rate
          you&#8217;ll be cracking those passwords at the rate of more than<span
            class="Apple-converted-space">&nbsp;</span><strong>one per
            second.</strong></p>
        <h2 style="font-size: 22px;">Salts Will Not Help You</h2>
        <p style="width: 30em; margin-left: 5px;">It&#8217;s important to note
          that<span class="Apple-converted-space">&nbsp;</span><strong>salts
            are useless for preventing dictionary attacks or brute force
            attacks.</strong><span class="Apple-converted-space">&nbsp;</span>You
          can use huge salts or many salts or hand-harvested,
          shade-grown, organic<span class="Apple-converted-space">&nbsp;</span><a
            href="http://en.wikipedia.org/wiki/Himalayan_salt">Himalayan
            pink salt</a>. It doesn&#8217;t affect how fast an attacker can
          try a candidate password, given the hash and the salt from
          your database.</p>
        <p style="width: 30em; margin-left: 5px;">Salt or no, if you&#8217;re
          using a general-purpose hash function designed for speed
          you&#8217;re well and truly effed.</p>
        <h2 style="font-size: 22px;"><code style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;">bcrypt</code><span
            class="Apple-converted-space">&nbsp;</span>Solves These Problems</h2>
        <p style="width: 30em; margin-left: 5px;">How? Basically, it&#8217;s
          slow as hell. It uses a variant of the Blowfish encryption
          algorithm&#8217;s keying schedule, and introduces a<span
            class="Apple-converted-space">&nbsp;</span><em>work factor</em>,
          which allows you to determine how expensive the hash function
          will be. Because of this,<span class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;
            background-color: rgb(238, 238, 255); border: 1px solid
            rgb(221, 221, 221); font-size: 17px; padding: 0px 0.2em;">bcrypt</code><span
            class="Apple-converted-space">&nbsp;</span>can keep up with
          Moore&#8217;s law. As computers get faster you can increase the work
          factor and the hash will get slower.</p>
        <p style="width: 30em; margin-left: 5px;">How much slower is<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;
            background-color: rgb(238, 238, 255); border: 1px solid
            rgb(221, 221, 221); font-size: 17px; padding: 0px 0.2em;">bcrypt</code><span
            class="Apple-converted-space">&nbsp;</span>than, say,<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;
            background-color: rgb(238, 238, 255); border: 1px solid
            rgb(221, 221, 221); font-size: 17px; padding: 0px 0.2em;">MD5</code>?
          Depends on the work factor. Using a work factor of 12,<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;
            background-color: rgb(238, 238, 255); border: 1px solid
            rgb(221, 221, 221); font-size: 17px; padding: 0px 0.2em;">bcrypt</code><span
            class="Apple-converted-space">&nbsp;</span>hashes the password<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;
            background-color: rgb(238, 238, 255); border: 1px solid
            rgb(221, 221, 221); font-size: 17px; padding: 0px 0.2em;">yaaa</code>in
          about 0.3 seconds on my laptop.<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;
            background-color: rgb(238, 238, 255); border: 1px solid
            rgb(221, 221, 221); font-size: 17px; padding: 0px 0.2em;">MD5</code>,
          on the other hand, takes less than a microsecond.</p>
        <p style="width: 30em; margin-left: 5px;">So we&#8217;re talking about<span
            class="Apple-converted-space">&nbsp;</span><strong>5 or so orders
            of magnitude</strong>. Instead of cracking a password every
          40 seconds, I'd be cracking them every<span
            class="Apple-converted-space">&nbsp;</span><strong>12 years</strong><span
            class="Apple-converted-space">&nbsp;</span>or so. Your passwords
          might not need that kind of security and you might need a
          faster comparison algorithm, but<span
            class="Apple-converted-space">&nbsp;</span><code
            style="font-family:
            Menlo,Consolas,Inconsolata,Anonymous,Monaco,monospace;
            background-color: rgb(238, 238, 255); border: 1px solid
            rgb(221, 221, 221); font-size: 17px; padding: 0px 0.2em;">bcrypt</code>allows
          you to choose your balance of speed and security. Use it.</p>
      </span></span><br>
    <br>
    Feedback appreciated,<br>
    Jim<br>
  </body>
</html>