| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <55F6F6CD.6010102@riseup.net> Date: Mon, 14 Sep 2015 18:33:17 +0200 From: beloumi <beloumi@...eup.net> To: discussions@...sword-hashing.net Subject: Re: [PHC] Specification of a modular crypt format Am 14.09.2015 um 18:05 schrieb Hugo Landau: > While it's true that existing crypt() implementations and their base64 > implementation is widespread, RFC 4648 base64 is more prevalent still. > And consider that the most pressing case for modern password hashing > is probably not in /etc/shadow, but in the user databases of large, > popular websites. Developers in this circumstance (or, preferably, > people developing password hashing libraries) will have RFC 4648 > base64 libraries available to them, but if they have to use crypt() > base64 they may have to implement it themselves, which creates the > risk that they will implement it in a subtly buggy or broken fashion. > I say this from experience; I implemented sha512-crypt in Go, and had > to implement crypt() base64. Whereas if it had used RFC 4648 base64 > existing base64 libraries could have been reused. Not really a > problem, but it feels like an unnecessary liability. I agree to Hugo. I had implemented Bcrypt for Bouncy Castle Crypto API (Java). RFC 4648 would have been available, but I had to write an extra Base64 encoding for Bcrypt.
Powered by blists - more mailing lists