lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAGiyFddRU6fH5C0NpLLTrzeuxYGoJP5+QALfzKydqaH1PFbQ_A@mail.gmail.com>
Date: Tue, 20 Aug 2013 23:02:27 +0200
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Terminology goals

Agree with the need for a name better than "password hashing scheme",
or "password hash".

IIRC in previous Twitter discussions an idea was to avoid the word
"hash" altogether and some people proposed things like "password
scramblers". Also, a good name should probably include a connotation
of work factor/slowness.

Perhaps we should organize a separate competition: The Password Hash
Naming Competition.

On Tue, Aug 20, 2013 at 10:41 PM, Jeffrey Goldberg <jeffrey@...dmark.org> wrote:
> On 2013-08-20, at 3:14 PM, Marsh Ray <maray@...rosoft.com> wrote:
>
>> Since an authentication scheme for password-based credentials has a subtly different set of security properties than general hashing, message digesting, MACing, and even key derivation, we should strongly consider giving it a different name.
>
> Please! I'm tired of putting scare-quotes around "hash" every time I write about this. One of our goals is to make things easier services to do things properly. I still remember the people complaining that BLAKE2 was bad because it was too fast. Separate terms will help make it clear that different things have different design goals.
>
>> The values derived from the generate function. For example, we could call it a “pash function” or “pash values”, which you could think of as “Password Authentication ScHeme” or just “Password Hash”.
>
> Nice. I think I might start using that terminology right away. I don't think we need to wait for contest results to start doing this.
>
> (I'd also like something for KDFs that are designed to have a work factor for when the function output isn't for authentication.  "k-desh" for "Key Derivation ScHeme"? But as this the the PHC project and not the KDF-C project, my additional wishes here are off-topic.)
>
> Cheers,
>
> -j

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ