| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 May 2016 03:34:52 +0000 (UTC)
From: Alex Elsayed <eternaleye@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: Verbify "password hash"
On Sun, 22 May 2016 18:17:11 -0400, Scott Arciszewski wrote:
>
> Compare the two statements:
>
> Don't encrypt passwords, hash them. But not with a general-purpose
> cryptographic hash function; you need to use a hash function
> specifically designed to perform the slow, salted hashing of a password.
> This means don't use something like AES or SHA256, but do use Argon2i.
>
> -----
>
> Don't encrypt or hash passwords, phash them. For example: Argon2i.
>
> I find myself repeating the same footnotes every time I try to correct
> an article or press release about "we encrypt our users' passwords". My
> meta-argument is that using the same verb to mean several different
> actions is ambiguous and causes confusion for neophytes and opting for a
> different verb for every context avoids that problem.
This is a false dichotomy:
Don't roll your own password storage; use a secure password hash,
such as Argon2i.
> The need for it might not seem widespread, but I'm reasonably sure that
> adopting this approach will lead to better user understanding (i.e. not
> calling literally everything you can do in cryptography "encryption").
Such a term is only needed because you're trying to fit this into a
pattern that puts you in a linguistic straitjacket. By reframing the
problem - and the problem is not encryption, or hashing, it's that people
aren't using Best Practices - the need falls away.
Powered by blists - more mailing lists