lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 14 Sep 2015 18:33:17 +0200
From: beloumi <>
Subject: Re: [PHC] Specification of a modular crypt format

Am 14.09.2015 um 18:05 schrieb Hugo Landau:
> While it's true that existing crypt() implementations and their base64
> implementation is widespread, RFC 4648 base64 is more prevalent still.
> And consider that the most pressing case for modern password hashing
> is probably not in /etc/shadow, but in the user databases of large,
> popular websites. Developers in this circumstance (or, preferably,
> people developing password hashing libraries) will have RFC 4648
> base64 libraries available to them, but if they have to use crypt()
> base64 they may have to implement it themselves, which creates the
> risk that they will implement it in a subtly buggy or broken fashion.
> I say this from experience; I implemented sha512-crypt in Go, and had
> to implement crypt() base64. Whereas if it had used RFC 4648 base64
> existing base64 libraries could have been reused. Not really a
> problem, but it feels like an unnecessary liability. 
I agree to Hugo.
I had implemented Bcrypt for Bouncy Castle Crypto API (Java).
RFC 4648 would have been available, but I had to write an extra Base64
encoding for Bcrypt.

Powered by blists - more mailing lists