lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Mar 2014 12:53:07 -0400
From: Bill Cox <>
Subject: Re: [PHC] "Why I Don't Recommend Scrypt"

On Thu, Mar 13, 2014 at 11:50 AM, Tony Arcieri <> wrote:
> Here's an odd post I ran across...
> As far as I can tell, he's arguing that scrypt is more secure than bcrypt
> (at the recommended settings), but recommending bcrypt anyway for no
> apparent reason?
> --
> Tony Arcieri

I don't agree with the blog post, but his opinion isn't outrageous.
Bcrypt in the short term provides decent anti-GPU resistance, from
what I hear.

However, Bcrypt provides orders of magnitude worse resistance than
Scrypt against ASICs, and GPU architectures are likely to make Bcrypt
insecure in the not too distant future, while Scrypt will simply
follow Moore's Law.

I think the NSA would prefer that we continue using Bcrypt and not
switch to Scrypt.  Let's assume they have liquid nitrogen cooled ASICs
with 1024 Bcrypt hashing cores running say 2X faster than the fastest
CPU on each core.  If I understand correctly, Bcrypt only requires
4KiB of memory, so integrating 1024 of them is not unreasonable.  Per
board, let's guess they have 64 chips, and maybe 1024 boards, for a
factor of 134 million-to-1 compute power vs a high-end PC.

Bcrypt is safe against all those GPU crackers who don't have the money
to build what the NSA can, so bcrypt does a good job protecting the
public, while allowing government sized organizations the ability to
crack passwords far more effectively.  I think that's the NSA's
prefered sweet spot for the public.

Personally, I would use Scrypt now, and probably the PHC password
winner in the future, but I understand the guys who only feel they can
spend 10ms or less on a password hash.  Solar Designer has some great
stuff in Escrypt for those guys.


Powered by blists - more mailing lists