Hacker News new | past | comments | ask | show | jobs | submit login

Better still, use scrypt. HN's very own @cperciva wrote it.

http://www.tarsnap.com/scrypt.html

It requires a lot more memory to brute-force it, thereby defeating any speed gains from parallelism.




The reason people are going to use bcrypt is that there are more likely going to be bcrypt implementations in their given language: http://stackoverflow.com/questions/10149554/are-there-any-ph...

I just had to make this choice a few days ago and bcrypt seemed like the best option with working PHP implementations. And I sure as hell am not going to try to roll my own.


The responses to that stack overflow question makes me want to punch somebody in the face!

The #1 google response for info about Scrypt for php now points to an article arguing about the semantics of the question with no answer. Classic!


THANK YOU

"use bcrypt" has become an HN meme, with all the bad implications of it

As if scrypt, pbkdf2 didn't exist. Or as if bcrypt has always existed and doesn't have any weakness


Please stop stirring up drama about this issue. While you are technically incorrect (PBKDF2-SHA1 is faster than and thus inferior to bcrypt), it's irrelevant: all three of [scrypt, bcrypt, PBKDF2] are just fine, and you can safely pick one at random.


If a database of bcrypted passwords from LNKD had been leaked, we'd be having a totally different conversation right now. (Same, of course, with scrypt etc.)


Like you can't break bcrypt...

The weakest link, either in bcrypt or MD5 is the password quality.

Of course, in pure MD5 today you're a google search away and modern computers can eat salted MD5 for breakfast

But the easiest passwords are going to be broken first


Am not a cryptographer by any means, so please correct me if I'm wrong:

If you use any reasonable cost for bcrypt, you're talking hundreds of milliseconds per attempt on a modern CPU. For each 6-character password (since you can't generate a rainbow table) at 100ms per pop, you're talking about something on the order of 2+ years per password divided by the number of CPUs. With something like 900 CPUs running continuously, you could expect to recover one 6-char every day if the passwords were randomly distributed in the 6-char alphanumeric space. So, pretty feasible, assuming a 100ms cost. Short passwords do hurt you; I agree.

Now for 8-char alphanumeric passwords, you'd have to run ~1 million CPUs continuously to expect to recover one per day at a 100ms-per-pop cost. This is more of a stretch, assuming you're trying to do this with, e.g., botnets. It seems that someone asking for help cracking a password list on a forum would probably not be able to assemble this much computing power.

Or 1 billion CPUs continuously to expect to recover one 10-char alphanumeric password per day.

Of course, the assumption of random alphanumerics is wrong, both because many people will use common passwords and because others will use non-alphanumeric character substitution.

At any rate, it seems to me that leaking non-salted SHA1 hashes is virtually the worst case disaster scenario, short of plaintext passwords.


I didn't do the math but it sounds right.

But suppose tomorrow it takes 10ms. Also, tomorrow, available spaces will increase, so the likelihood of a space vs time tradeoff (even partial) increases

WEP was considered "good enough" at first (even though it had obvious problems at first like key size), WAP was considered unbreakable at first, today it's feasible with cloud computing or GPUs.

And then we'll be complaining on HN that they didn't use xyzcrypt or something instead of bcrypt.

" it seems to me that leaking non-salted SHA1 hashes is virtually the worst case disaster scenario"

Yes. Salt is password storage 101!


The time bcrypt takes is configurable, so in the future you can adjust the amount of work per password -- this is literally a one-character change in your code -- and be alright again. Ditto for the rest of the decent password hashing schemes.


True, but you can't really bet on that

Sure, you can increase the work, but you'll still be limited by bcrypt size

Otherwise, you could just MD5 hash stuff X times and be done with it

Sure, bcrypt today is very safe, but I wouldn't be surprised if attacks are found today (even if they rely only on bruteforce)

And let's not forget implementation issues that may happen in specific bcrypt libraries


I think you are propagating the myth that a scheme can be secure forever.

It's ok if WAP is breakable with cloud computing, because the whole point was to secure it for the next X years so that it takes more than Y dollars to break it. You only need to protect million dollar data enough that it costs 10 million dollars to get it.

If the data is valuable enough and protected heavily enough with crypto, the cheapest way to get it is through a meatspace attack (break-in, abduction, etc).

> WEP was considered "good enough"

Not by security professionals once they saw the effective size of the key. It's the downgrading of what looked like a 64bit key into a 48bit key that was the biggest problem.


You are not wrong at all.


The math doesn't sound right. Google allows any ASCII character for their passwords, which is 95 chars. I calculate 2330 years to crack each password. Did I get something wrong?

(95^6 * .1sec per hash) / (60sec 60min 24hrs 365days)

The key difference is bcrypt does ~10 hash/sec. A GPU-enabled password cracking machine can do over 500 million hashes per second. That generates a rainbow table in ~30 minutes.


These hashes were posted on a forum as a plea for help: the guy did not have enough computational power to crack them all on his own. Had they been salted bcrypt hashes, it might have actually discouraged him to the point of not even trying.

So yeah, the weakest passwords will always fall, but good solutions will go to great length to protect even the most clueless of users.


What weakness does bcrypt have?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: