lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Apr 2014 16:53:45 +0100
From: Alec Muffett <>
Subject: Re: [PHC] Do we need a common password hashing API?

On 13 April 2014 00:53, Bill Cox <> wrote:

> Now that I've got all the entries linking with the PHS API, I wonder if it
> would be useful to provide the world with a real one, something they could
> actually use in their applications.  If I were developing an application
> right now that needed to hash passwords, I'd like to future-proof my code
> by linking against an "official" API, which would allow me to select an
> established hashing algorithm now (like Bcrypt, Script, PBKDF2, or HKDF),
> and easily switch in the future, after PHC winners are announced.
> Such an API would need some more parameters than the PHS API, such as the
> hashing algorithm (like PBKDF2), a PRF (like SHA256), and a boolean flag
> saying whether it's OK for the algorithm to clear the password.  We might
> also want an additional data field, or maybe even a generic interface that
> would allow users to hash as much data as they like, similar to the
> init/update/final APIs.  Maybe it would be good to have something for
> dealing with salt and settings string generation, similar to what
> Pufferfish has.  The easier we can make life for users, the better.

Some of this was the original intention behind the Solaris Pluggable Crypt
Framework. [statement of interest: I am a co-author]

tl;dr: make it ASCII and let the DLL sort out the details.

    - alec


Content of type "text/html" skipped

Powered by blists - more mailing lists