lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 5 Mar 2015 16:23:07 +0300
From: Solar Designer <>
Subject: Re: [PHC] PHC output specifics

On Thu, Mar 05, 2015 at 01:52:34PM +0100, Kriszti??n Pint??r wrote:
> On Wed, Mar 4, 2015 at 8:12 PM, Marsh Ray <> wrote:
> > ยท         Conservative recommended default values for these parameters and
> > advice on other reasonable choices.
> i think this turned out very wrong with bcrypt, which comes with the
> recommendation of 10,

Where?  In my copy of the 1999 paper on bcrypt, only cost 6 and 8 are
mentioned (at the end of page 7) as OpenBSD defaults.

> which most people carelessly adopted,

Here's what I found actually in use in 2012:

"4-12 exist in the wild for password authentication, larger values are
sometimes seen for other uses (you may choose not to support such uses).

I think the defaults are as follows:

Solaris - $2a$04 once bcrypt is enabled (it is not by default)
CommuniGate Pro - $2a$05, ditto
OpenBSD - $2a$08 for root, $2a$06 for non-root
Owl - $2y$08 for all by default
openSUSE - $2y$10 for all by default

Google web searches also find numerous instances of $2a$12, albeit
mostly in discussions on use of bcrypt from scripts and such.

An example use other than password authentication:

This has $2a$16 and $2a$20 samples.

The paper and slides on scrypt compare it against bcrypt at up to $2a$16
("tuned for file encryption")."

> despite on today's hardware it is rather small.

Depends on use case.  For mass user authentication, it is actually
pretty large.  Arguably, password hashing slowness should not become a
server's weakest link in terms of resource consumption DoS attacks.
(Of course, there may be countermeasures to such DoS attacks, and to
online password probing in general.)

I don't mean to argue with the main points you're making.  I actually
agree.  I primarily wanted to comment on bcrypt's costs in use.


Powered by blists - more mailing lists