lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Mar 2014 16:09:28 -0400
From: Patrick Mylund Nielsen <>
To: "" <>
Subject: Re: [PHC] "Why I Don't Recommend Scrypt"

On Thu, Mar 13, 2014 at 2:45 PM, Tony Arcieri <> wrote:

> On Thu, Mar 13, 2014 at 11:42 AM, Patrick Mylund Nielsen <
>> wrote:
>> I never bought that argument. You can be DoS'ed in many, many ways. The
>> solution is exponential backoff and similar, not to (again) compromise on
>> the security of the password digests.
> Exponential backoff based on what, source IP address? What if you're being
> DDoSed?
> Account name? If you don't compute a password hash even for invalid
> account names, you're vulnerable to user enumeration attacks.

What I'm saying is you have exactly the same problems with any other kind
of request a user can make. You can DDoS a website simply by doing regular
login requests but with random (and non-existing) usernames, too. Yes, your
scrambling function is more expensive, but there are better, more generally
applicable solutions to these problems that don't involve using a crappy
construction for password authentication.

I am honestly curious: Has the compute overhead ever actually impacted
anyone who had more general DDoS protections? I am tired of seeing "It
makes it easier to DDoS you" come up in virtually every discussion about
password hashing, and seeing that argument be given equal credibility, when
we know for a fact that there are very real, much more serious, practical
downsides to not using expensive functions for password authentication.

It's bad enough that we can't get people to stop doing SHA256(pwd)--we
shouldn't be giving them reasons not to switch unless those reasons are
based in reality.

Content of type "text/html" skipped

Powered by blists - more mailing lists