lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKws9z16BOHS+Wmy-4ZZ6KhAE18-wx5LwbACJf0zPzO4uQPpmg@mail.gmail.com>
Date: Sun, 22 May 2016 17:17:28 -0400
From: Scott Arciszewski <scott@...agonie.com>
To: discussions@...sword-hashing.net
Subject: Verbify "password hash"

Hi all,

I frequently find myself telling people, "Don't encrypt passwords, hash
them," but then I have to continue on explaining that you can't just use
ANY old cryptographic hash function, you need to use one of these special
password hashing functions instead.

A lot of clarity and simplicity can be gleaned from choosing a distinct
verb to go along with each major class of cryptographic algorithm, even if
it's an informal vernacular.

This is what I've come up with so far:

   * Symmetric-key cryptography
     * Symmetric-key encryption
       * encrypt
       * decrypt
     * Symmetric-key authentication
       * auth
       * validate
   * Asymmetric-key cryptography
     * Asymmetric-key encryption (wherein you encrypt with
       $publicKey but can only decrypt with $secretKey)
       * seal
       * open
     * Asymmetric-key authentication
       * sign
       * verify
     * Key agreement
       * exchange / agree / negotiate
         (not sure which is easiest yet)
    * Other cryptography
      * Cryptographic hash functions
        * hash
      * Password hash functions
        * ?????

I'm not the first to propose the naming issue, but my argument is a bit
different: I'm fine with "password hash" as a compound noun. I'd just like
to get some feedback on a verb, for telling developers with little security
background:

    Don't encrypt passwords. Don't hash passwords. Instead, ______
passwords.

Some ideas that have come up in discussing this on Twitter:

  * PASH (previously suggested by dchest)
  * phash (my original suggestion; pronounced "fash"; short for password
hash)
  * pulverize
  * blend
  * puree
  * blitz
  * nuke and pave (not sure if this one was tongue-in-cheek)


Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ