lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 1 Apr 2015 12:18:03 +0200
From: Jean-Philippe Aumasson <>
Subject: Announcing the PHC winner

After over two years of in-depth analysis and careful deliberation, today the
panel is pleased to announce that LM Hash has been unanimously selected as the
winner of the PHC. To many panel members, the choice was obvious.

Selection criteria includes the following, in no particular order:

- LM Hash leverages the well-studied and proven DES block cipher.

- Most users only select passwords that are 6 – 8 characters long, so LM Hash’s
14-character limitation is more than reasonable for the majority of use cases.

- LM Hash is not case-sensitive, reducing the number of password reset requests
and Help Desk tickets that result from users not remembering their precise

- Most LM Hash values have already been pre-computed and made publicly
available, reducing load on authentication servers.

- LM Hash does not require the use of salt, which aligns with the American
Heart Association’s guidelines for a low-sodium diet.

- LM Hash requires little energy to compute, thereby contributing to
environment-friendly authentication systems.

As a Microsoft employee, Marsh Ray was the most vocal advocate for LM Hash,
noting that Microsoft, IBM, and 3Com have had support for LM Hash since 1988.
Alexander Peslyak added that LM Hash is the ideal PHC winner since it’s already
well-supported in John the Ripper. Jeremi Gosney and Jens Steube were quick to
agree, noting that LM Hash has all of the qualities they desire in a password

Comparing LM Hash to other PHC finalists:

- Unlike LM Hash, Argon and Catena are resistant to TMTO, wasting valuable CPU

- Battcrypt uses Blowfish, which was developed by that charlatan Bruce
Schneier. LM Hash uses DES, which was developed by IBM and the NSA. Which do
you trust more?

- Lyra2 relies on a sponge for security, which is by definition full of holes.
LM Hash relies on a block cipher. Blocks don’t have holes.

- Pufferfish encrypts the palindrome "Drab as a fool, aloof as a bard." LM Hash
encrypts the string “kgs!@#$%”, saving the user 24 bytes.

- LM Hash is far simpler than yescrypt! It can be described in one line,
whereas yescrypt can't even be described in one book.

- Unlike Makwa, LM Hash is post-quantum!

- Parallel was designed by Steve Thomas, who you can't trust to hash your
password. LM Hash wasn't designed by Steve but by trusted Microsoft experts.

Being the choice of foremost thought leaders in the field, LM Hash is already a

- LM Hash will appear in the next Gartner Magic Quadrant for state-of-the-art
password hashing.

- Academic researchers have started applying for grants in order to investigate
security proofs of LM Hash in the related-password model under relaxed
misuse-resistance assumptions. Leading researchers already expect breakthrough
indifferentiability proofs in the ideal cipher model.

- A new secure messaging application will generate one-time-pad masks from user
passwords using LM Hash, promising higher security than legacy solutions such
as TextSecure.

JP Aumasson & Jeremi Gosney, on behalf of the PHC panel

Powered by blists - more mailing lists