lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 31 Aug 2014 13:55:37 +0200
From: Krisztián Pintér <>
Subject: Re: [PHC] An additional PHS API to include a string?

Bill Cox (at Sunday, August 31, 2014, 1:31:22 PM):

> The Microsoft presentation made a good point that stuck with me: users
> hate dealing with all these different parameters like m_cost and
> t_cost, and they'll just stick with password and salt if we can't
> simplify storing hashes in a database.

converting the result hash, and optionally any parametrization, to a
string is perpendicular to password hashing. it can be added later, it
is straightforward, it is independent of the actual algorithm, and it
can be supplied as a helper function to the core hash function. my
conclusion is: we should not discuss it, it is a waste of time.

side note: does anyone know why bcrypt packs only 23 bytes of the 24
byte hash into the string representation?

Powered by blists - more mailing lists