lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 24 May 2016 03:34:52 +0000 (UTC)
From: Alex Elsayed <>
Subject: Re: Verbify "password hash"

On Sun, 22 May 2016 18:17:11 -0400, Scott Arciszewski wrote:
> Compare the two statements:
>     Don't encrypt passwords, hash them. But not with a general-purpose
> cryptographic hash function; you need to use a hash function
> specifically designed to perform the slow, salted hashing of a password.
> This means don't use something like AES or SHA256, but do use Argon2i.
> -----
>     Don't encrypt or hash passwords, phash them. For example: Argon2i.
> I find myself repeating the same footnotes every time I try to correct
> an article or press release about "we encrypt our users' passwords". My
> meta-argument is that using the same verb to mean several different
> actions is ambiguous and causes confusion for neophytes and opting for a
> different verb for every context avoids that problem.

This is a false dichotomy:

    Don't roll your own password storage; use a secure password hash, 
such as Argon2i.

> The need for it might not seem widespread, but I'm reasonably sure that
> adopting this approach will lead to better user understanding (i.e. not
> calling literally everything you can do in cryptography "encryption").

Such a term is only needed because you're trying to fit this into a 
pattern that puts you in a linguistic straitjacket. By reframing the 
problem - and the problem is not encryption, or hashing, it's that people 
aren't using Best Practices - the need falls away.

Powered by blists - more mailing lists