Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 25 Nov 2013 10:45:03 +0400
From: Solar Designer <>
Subject: Re: A couple of thoughts on password hashing


After having already done much work on an scrypt-inspired new password
hash, I am re-reading some threads here and on other lists where people
posted thoughts on password hashing.  I didn't want them to influence my
thinking too much initially, but now is the time for a sanity check. ;-)

On Sat, Feb 02, 2013 at 05:56:01PM +0100, CodesInChaos wrote:
> A couple of quick thoughts on creating new password hashes:

Thank you for these!  I mostly agree, with the major exception being:

> * For Key derivation in disk encryption, state level attackers with custom
> hardware are an important consideration
>   For login hashes we probably care more about less sophisticated attackers
> with GPUs and perhaps FPGA.

Yes, but:

> * Time-memory trade-offs seem to increase flexibility without benefiting
> attackers. It's trade-offs involving parallelism that are problematic

Time-memory tradeoffs are also problematic for the defender, considering
"less sophisticated attackers with GPUs and perhaps FPGA".  I include
some optional TMTO discouraging measures specifically to better defend
against attackers with non-ASICs (or with less than 100% of their
hardware being ASICs).


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.