lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 24 May 2016 03:34:52 +0000 (UTC) From: Alex Elsayed <eternaleye@...il.com> To: discussions@...sword-hashing.net Subject: Re: Verbify "password hash" On Sun, 22 May 2016 18:17:11 -0400, Scott Arciszewski wrote: > > Compare the two statements: > > Don't encrypt passwords, hash them. But not with a general-purpose > cryptographic hash function; you need to use a hash function > specifically designed to perform the slow, salted hashing of a password. > This means don't use something like AES or SHA256, but do use Argon2i. > > ----- > > Don't encrypt or hash passwords, phash them. For example: Argon2i. > > I find myself repeating the same footnotes every time I try to correct > an article or press release about "we encrypt our users' passwords". My > meta-argument is that using the same verb to mean several different > actions is ambiguous and causes confusion for neophytes and opting for a > different verb for every context avoids that problem. This is a false dichotomy: Don't roll your own password storage; use a secure password hash, such as Argon2i. > The need for it might not seem widespread, but I'm reasonably sure that > adopting this approach will lead to better user understanding (i.e. not > calling literally everything you can do in cryptography "encryption"). Such a term is only needed because you're trying to fit this into a pattern that puts you in a linguistic straitjacket. By reframing the problem - and the problem is not encryption, or hashing, it's that people aren't using Best Practices - the need falls away.
Powered by blists - more mailing lists