Monday, March 19, 2012

Don't use bcrypt

(Edit: Some numbers for you people who like numbers)

If you're already using bcrypt, relax, you're fine, probably. However, if you're looking for a key derivation function (or in bcrypt's case, password encryption function) for a new project, bcrypt is probably not the best one you can pick. In fact, there are two algorithms which are each better in a different way than bcrypt, and also widely available across many platforms.

I write this post because I've noticed a sort of "JUST USE BCRYPT" cargo cult (thanks Coda Hale!) This is absolutely the wrong attitude to have about cryptography. Even though people who know much more about cryptography than I do have done an amazing job packaging these ciphers into easy-to-use libraries, use of cryptography is not something you undertake lightly. Please know what you're doing when you're using it, or else it isn't going to help you.

The first cipher I'd suggest you consider besides bcrypt is PBKDF2. It's ubiquitous and time-tested with an academic pedigree from RSA Labs, you know, the guys who invented much of the cryptographic ecosystem we use today. Like bcrypt, PBKDF2 has an adjustable work factor. Unlike bcrypt, PBKDF2 has been the subject of intense research and still remains the best conservative choice.

There has been considerably less research into the soundness of bcrypt as a key derivation function as compared to PBKDF2, and simply for that reason alone bcrypt is much more of an unknown as to what future attacks may be discovered against it. bcrypt has a higher theoretical-safety-to-compute-time factor than PBKDF2, but that won't help you if an attack is discovered which mitigates bcrypt's computational complexity. Such attacks have been found in the past against ciphers like 3DES. Where 3DES uses a 168-bit key, various attacks have reduced that key size's effectiveness to 80-bits.

PBKDF2 is used by WPA, popular password safes like 1Password and LastPass, and full-disk encryption tools like TrueCrypt and FileVault. While I often poke fun at Lamer News as a Sinatra antipattern, I have to applaud antirez on his choice of PBKDF2 when he got bombarded with a "just use bcrypt!" attack (although bro, antirez, there's a PBKDF2 gem you can use, you don't have to vendor it)

The second cipher to consider is scrypt. Not only does scrypt give you more theoretical safety than bcrypt per unit compute time, but it also allows you to configure the amount of space in memory needed to compute the result. Where algorithms like PBKDF2 and bcrypt work in-place in memory, scrypt is a "memory-hard" algorithm, and thus makes a brute-force attacker pay penalties both in CPU and in memory. While scrypt's cryptographic soundness, like bcrypt's, is poorly researched, from a pure algorithmic perspective it's superior on all fronts.

The next time you need to pick a key derivation function, please, don't use bcrypt.


«Oldest   ‹Older   2401 – 2477 of 2477
Mani said...

Construction Companies in Chennai
Civil Contractors in Chennai
CCTV Camera Services in Chennai
Hit Trans
Advocates in Chennai
Divorce Case Lawyers in Chennai

Mani said...

De Addiction Centre in Chennai
Spark Equipments
Office Cleaning Serviuces in Chennai
MKS Furniture
Mars Sterile
De Addiction Centre in Chennai

Mani said...

Gal Windoors
Tiles Dealers in Chennai
Post Forming Shutters in Chennai
Turnkey Contractor in Chennai
Best Tattoo Shop in Chennai
PVC Blister Manufacturer in Chennai
Building Construction in Chennai
Best Building Contractors in Chennai

Mani said...

2d Plan Services in Chennai
CCTV Dealers in Chennai
Best Wedding Photographer in Chennai
JP Fire Safety Equipment
Green Home
Om Doors & Wood Works

allthing said...

allthing said...

هل يجوز الصيام على جنابه

allthing said...

learn quran recitation

allthing said...

شركة تمديد الغاز المركزي بالرياض

Brian Joe said...

payroll software singapore
payroll system singapore

Unknown said...

payroll software
payroll system

Praveen Kumar said...

Really nice article. Thanks for sharing. Keep share much more.
hotels in yercaud near lake
yercaud hotels low price
hotel at yercaud tamil nadu

Professional Course said...

I am here for the first time. I found this table and found it really useful and it helped me a lot. I hope to present something again and help others as you have helped me.

Business Analytics Course in Nagpur

David said...

David said...

free of cost with a single click Download. hunting sky

David said...

download latest verion of spotify premium apk from here damon ps2 pro apk

Mattt Donavan said...

This post is so interactive and informative.keep update more information...
DevOps course in Tambaram
DevOps Training in Chennai

Praveen Kumar said...

Fantastic article. Thanks for sharing. Keep share much more.
hotels in yercaud near lake
yercaud hotels low price
hotel at yercaud tamil nadu

Professional Course said...

Hello. I found your blog using msn. This is a very well written article. I'll be sure to bookmark it and come back for more useful information. Thanks for the post. I will definitely be back.

Data Science Training in Bangalore

Professional Course said...

This is an excellent article. I like this topic. This site has many advantages. I have found a lot of interesting things on this site. It helps me in so many ways. Thanks for posting this again.

Data Analytics Course in Durgapur

arasukumar said...

This is an informative and knowledgeable article. therefore, I would like to thank you for your effort in writing this article.
Data Scientist Course in Chandigarh

Scopex said...


Nathan said...

Very informative Blog! There is so much information here that can help thank you for sharing.
Data Analytics Course in Bangalore

Tech Institute said...

This is an informative and knowledgeable article. therefore, I would like to thank you for your effort in writing this article.
Data Science Course in Bangalore

خدمات تبوك said...

شركة تنظيف كنب بتبوك
شركة طارد حمام بتبوك
كهربائي بتبوك
معلم دهانات بتبوك
نجار بتبوك
شركة عزل خزانات بتبوك
شركة تنظيف منازل بتبوك
شركة تنظيف منازل بتيماء
شركة مكافحة حشرات بتيماء
تركيب طارد حمام بتيماء
دليل راحتك
شركة مكافحة حشرات بتبوك
شركة تنظيف منازل بتيماء
شركة صيانة الأجهزة المنزلية بتبوك
شركة تنظيف شقق بتبوك
شركة عزل خزانات في تبوك
شركة نقل عفش بتبوك
شركة تنظيف كنب بتبوك
نجار بتبوك
شركة تنظيف منازل بتبوك
خدمات نظافة بتبوك
دليل راحتي لخدمات المنازل
معلم بلاط بتبوك

kumal kumar said...

I read your excellent blog post. It's a great job. I enjoyed reading your post for the first time, thank you.
Data Science Institutes in Bangalore

aljani said...

#1 The Best Apps and Games For Android · Apk Module
Jerkmate mod apk

Shaimaa Elsadek said...

شركه مكافحه صراصير الشارقه
شركه تنظيف في الفجيره
شركات تنظيف الكنب في عجمان
شركة تنظيف في دبي
شركات تنظيف المنازل في العين
شركة تنظيف فلل في دبي
شركة تنظيف فلل في الشارقة
شركات تنظيف وتعقيم
شركه تنظيف فلل العين
شركة تنظيف منازل بالعين

Aitechtonic said...

here you can learn, done and earn with your skills -- Blogging Tips - Fastread

KevinRhodes234 said...

Your website is very attractive and useful. Hey loved the post! Great post and reaching the top I will be back to visit often. Checkout FMWhatsApp APK

henrymiles said...

Very nice content is being provided which is very helpful to every one for their future needs and very reliable.
Learn Digital marketing from allied technologies and convert your business into an app development .
Affordable digital marketing agency is here which help in convert your business.

henrymiles said...

You ve really grown. This really shines! You make me want to learn more!

henrymiles said...

You discovered something new! I enjoyed reading this You are so ambitious

enligne-argent said...

gagner de l'argent sur internet

Professional Course said...

Very interesting blog. A lot of the blogs I see these days don't provide anything that interests me, but I'm really interested in this one. I just thought I would post and let you know.

Data Science Course in Ernakulam

Write for us digital marketing said...

Impressive article.Thankyou for providing this wonderful read.
Also visit my blog for Search Engine Insight

David said...

Download the latest version of all types

RADHIKA said...

Meet Indian top quality Udaipur college girls best model available in our we gave high-class girls trust me and book your choice.

FriskyWeb said... is one of the fastest growing platforms which are dedicated to provide a platform where passionate bloggers, content writers or whomsoever wants to write for the world can write.

Natures Pired said...

online sole proprietorship registration

Natures Pired said...

best sulphate free shampoo

BTree Systems said...

job support services
job support services

Natures Pired said...

The team at 36RPM have combined experience of 12 years in developing marketing strategies and developing E-commerce websites & plans.
seo company in Gurgaon

Travel_Life said...


Thank You Very Much.

Blogger Hindi

Delhi Govt Jobs

Free Certification Course

yo-whatsapp said...

GB whatsapp New Version it has more new and innovative features that WhatsApp doesn’t have, some features include hide blue tick and last seen online status, it also provides your own various themes to make your choice more free and convenient .

FMWhatsappmod said...

Thanks for sharing such a great article, I am going to download fmwhatsapp apk this can be logged into two on the same device APK of an account to find my friends to share this high-quality article! said...

In our daily life, we are using social media applications. Without chat tools such as gb whatsapp download new version , our days are probably boring, and communication problems will be affected due to geographical distance

Top 10 Free Business Listing Websites said...

Thank you for the share. You are helping others to grow their knowledge by sharing such a valuable information very helpful

Thanks Again

SEOAUTH - SEO Submission Sites List

Haba Media said...

Harian Naggroe - Berita Politik Dunia

Presiden Ukraina
Pabrik Gandum di Gaza
Ekonomi Eropa
Zelensky ingin bertemu putin
Mata Uang Rusia
Peringatan AS ke Erdogan

SAHIL said...

Hi, Thanks for sharing your blog. Please review mine. digital marketing degree florida | Activate YouTube TV | Activate Twitch TV Thanks

developn design said...

thanks for share this information!we are providing the best SEO services in Chandigarh.Developndesigns is the world best SEO training institute. we are provider the all types of courses such as seo ,basic computer course, digital marketing, software skills as well as hardware skills apart from this designing, networking and more.
basic computer training in chandigarh
industrial training in Chandigarh

cleanservice24x7 said...

our company providing the the best cleaning service in Chandigarh.
Car Cleaning Services Provider in Chandigarh
Home Cleaning Services Provider in Chandigarh

White label NFT Marketplace said...

Hire ReactJS Developers from CronJ to leverage 9+ years of React handling and 15+ industrial experience at just $8 per hour!

hire reactjs developers
hire react developer

Codevisionz - Learn to code said...

Rahul said...

You have written very good content, I am waiting for your other content to come, just upload it soon. Anyway, it provides courses to the students related to filmmaking, in which there are many courses like acting, direction, modelling and more. If you are interested in the filmmaking industry then you can watch it. Our script writing course is very famous and has a higher rating as the best Script writing course in Delhi & Mumbai, India.

123456789 said...

Vcare Technical Institute has been providing students with a rich and diverse learning environment. Our unparalleled teaching methods help to launch students into the successful future they have always dreamed of. Vcare Technical Institute is located in Laxmi Nagar, Delhi and has over 100 students and a renowned staff. We encourage both staff and students alike to grow, learn and create each passing day.

We are Provided Various Computer Courses Such as Computer Basic With Advanced, Core java, Advance java, Core PHP, Advance PHP++, Photoshop, Computer Typing and Other Courses. A Computer Course Overview Windows 7 overview, MS Word, MS Excel, MS Power Point, MS Publisher, MS Picture Manager, MS Outlook, MS Access, Basic HTML,
C++ training laxmi nagar Coding classes in Laxminagar , Internet- Search Engines, Email – Account creation, sending and receiving emails, Printing, Scanning, using external Media etc. Excel – creating spreadsheet, Applying formula, pivot table, H lookup, V lookup, filter, freeze, sorting, logical function.

drawingstudios said... is a website that allows download the latest Mod APK Games & Apps, unlimited money, unlocked premium mod version easily overcoming the most ...

Masnet said...

Nice work here. Are you planning to send money from the USA to Nigeria? If so, I think you should check out the dollar to naira today black market rate in 2022/2023.
Check out the Uscd acceptance rate for 2022-2026.
Want to share airtime with your loved ones? see how to transfer airtime on Glo
Want to share airtime with your loved ones? see how to transfer airtime on MTN
See OAU Cut Off Mark
See all you need to know about POLAC Form

Vanessa Marano said...

Satta Matka Give You Dpboss Kalyan SattaMatka Number, Satta Market, Balaji Matka Result, Satta Matka 220 Patti, Morning Syndicate Night Satta .

Eye Care Hospital | Shree Eye Care said...

Shree Eye care is the Best Hospital in Dehradun

Career Programs Excellence said...

Fast forward your career with the best Data Analyst Course offered by 360DigiTMG. Get trained by expert trainers with placement assistance.

Data Science Training in Delhi

Sekarkelana said...

great...nice sharing with simple explanation for my

pari said...

girls mobile number in udaipur

Beautyglaming said...

Thanks For Sharing Recipie News In Hindi

zetsu said...

it was a nice article and very helpful
Tableau Training in Chennai
Power bi Training in Chennai
msbi Training in Chennai
Blue Prism Training in Chennai
Workday Training in Chennai

romantic talk said...

Meet Indian top quality udaipur girls or
udaipur cool girls best model available in our we gave high-class girls trust me and book your choice.
high profile house wife in udaipur

RADHIKA said...

Meet Indian top quality Udaipur college girls best model available in our we gave high-class girls trust me and book your choice.
Padosan bhabhi
girl friends meeting
udaipur model girls Mobile Number

blogger said...

Thanks For Sharing Health News In Hindi
Thanks For Sharing Lifestyle News In Hindi
Thanks For Sharing Crime News In Hindi
Thanks For Sharing Breaking News In Hindi

dfgdfsg said...

The coupon can be used for three months until November 30th so that as many members can enjoy the benefits as possible 투데이서버

safetytraininginstitute said...

Great post; thanks for sharing! Really valuable information provided in the post!

nebosh courses in chennai"

kareeem said...

شركة نقل اثاث بالرياض
شركة نقل عفش بجدة
شركة كشف تسربات المياه بالرياض
شركة كشف تسربات المياه بجدة
شراء اثاث مستعمل بالرياض
شراء الاثاث المستعمل بجدة
شراء الاثاث المستعمل بالدمام

Sumit Roy said...

Pets Care Near Me
dog training near me
pet grooming near me
Best Pet Nutrition consultation in Delhi
Best Pets Behaviour consultation

Country Cheap Ammo said...

Great article

asdasdas said...
This comment has been removed by the author.
Masro APK said...

watch live matches Stream india Apk
Pikashow tv apk

Masro APK said...

get latest apps and games free of cost apkmole

Divya said...

join top nursing coaching academy now. We have been giving training to hundreds of nursing students online and offline. We have top Indian faculty for giving Online and Offline coaching.
Chandigarh Staff Nurse Coaching
BSc MSc Nursing Tuition classes
pgi chandigarh 2022 recruitment
aiims norcet 2023 vacancy
esic staff nurse recruitment
hpssc staff nurse recruitment

Viswadhika said...

Looking forward to reading more. Great blog article. Great.

Vmware Online Training Institute from India, Hyderabad
Best Data Modelling Online Training
SAP Commerce Cloud Certification Online Training from Hyderabad
Oracle RAC Training Course Online
Best SCCM Online Certification Training India
SAP BW On Hana Online Training
Selenium with Python Online Live Classes

«Oldest ‹Older   2401 – 2477 of 2477   Newer› Newest»