lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jan 2014 19:21:53 +0100
From: Christian Forler <>
Subject: Re: [PHC] cost upgrades (Re: [PHC] Scripting memory (not so) high
 vs Catena in PHP (with optimizations))

[ Pros and Cons of CI-Updates ]

> Now, to your example with year 2030.  A lot might change by then.
> Suppose PBKDF2' were defined in 1999 to support cost upgrades (and this
> wouldn't even have the drawbacks mentioned above since PBKDF2 is
> compute-only anyway).  This means that technically we could upgrade
> existing PBKDF2' hashes by merely adding iterations now.  Would we do
> that e.g. shortly after PHC concludes (hopefully giving us a good,
> modern password hashing scheme)?  No, if practical on a given deployment
> (and I recognize that it's an "if"), I'd rather wrap those PBKDF2' hashes
> in the modern hash.  Are you guessing that a significantly better scheme
> won't appear by 2030 (to justify the switch) or that e.g. Catena would
> be just good enough not to bother switching?  That's actually quite
> possible, given how bcrypt is still good enough for many uses now.

I do believe that we will have much better schemes in 2030 then in 2014.
Like we had better block-ciphers in 1998 than in 1977, or better hash
functions in 2001 then in 1992. People are very good in
improving existing designs.

Nevertheless, MD5, RC4, and (T)DES are still used almost everywhere. So,
I do predict that the PHC winner(s) will be still be used used in
2030, even when already superseded by superior KDFs.

Sometimes due to technical, economic, or political reasons, system
administrators are not able to switch to a better scheme. In this case,
CI-updates together with cost-parameter adaption enables system
administrators to provide some kind of "reasonable" protection to
passwords hashes of (active and inactive) users.

Best regards,

Download attachment "signature.asc" of type "application/pgp-signature" (535 bytes)

Powered by blists - more mailing lists