(Edit: Some numbers for you people who like numbers)
I write this post because I've noticed a sort of "JUST USE BCRYPT" cargo cult (thanks Coda Hale!) This is absolutely the wrong attitude to have about cryptography. Even though people who know much more about cryptography than I do have done an amazing job packaging these ciphers into easy-to-use libraries, use of cryptography is not something you undertake lightly. Please know what you're doing when you're using it, or else it isn't going to help you.
The first cipher I'd suggest you consider besides bcrypt is PBKDF2. It's ubiquitous and time-tested with an academic pedigree from RSA Labs, you know, the guys who invented much of the cryptographic ecosystem we use today. Like bcrypt, PBKDF2 has an adjustable work factor. Unlike bcrypt, PBKDF2 has been the subject of intense research and still remains the best conservative choice.
There has been considerably less research into the soundness of bcrypt as a key derivation function as compared to PBKDF2, and simply for that reason alone bcrypt is much more of an unknown as to what future attacks may be discovered against it. bcrypt has a higher theoretical-safety-to-compute-time factor than PBKDF2, but that won't help you if an attack is discovered which mitigates bcrypt's computational complexity. Such attacks have been found in the past against ciphers like 3DES. Where 3DES uses a 168-bit key, various attacks have reduced that key size's effectiveness to 80-bits.
PBKDF2 is used by WPA, popular password safes like 1Password and LastPass, and full-disk encryption tools like TrueCrypt and FileVault. While I often poke fun at Lamer News as a Sinatra antipattern, I have to applaud antirez on his choice of PBKDF2 when he got bombarded with a "just use bcrypt!" attack (although bro, antirez, there's a PBKDF2 gem you can use, you don't have to vendor it)
The second cipher to consider is scrypt. Not only does scrypt give you more theoretical safety than bcrypt per unit compute time, but it also allows you to configure the amount of space in memory needed to compute the result. Where algorithms like PBKDF2 and bcrypt work in-place in memory, scrypt is a "memory-hard" algorithm, and thus makes a brute-force attacker pay penalties both in CPU and in memory. While scrypt's cryptographic soundness, like bcrypt's, is poorly researched, from a pure algorithmic perspective it's superior on all fronts.
The next time you need to pick a key derivation function, please, don't use bcrypt.
1,422 comments:
«Oldest ‹Older 1401 – 1422 of 1422I’ve always enjoyed reading your article. Your topics are so interesting and content is mindblowing, whenever I start reading I couldn’t stop to read the full article.
CogniStrong
Quietum Plus
CogniStrong
Neuroxen
MobillityMD
Urinoct
Joint N11
CogniSurge
DigestiStart
Nice blog, the article you have shared is good. This article is very useful. My friend suggest me to use this blog.
Neurozoom
Nerve fresh
Pineal Activator
Pineal Awakening
Mitolyn
Nervala
Ignitra
Nerve Alive
LungExpand Pro
Men’s Growth
If you want to learn how to invest your money in the share market or you want to choose your right stocks that makes you rich.
Menovelle
Glucotrust
Kerassentials
Nitric Boost Ultra
Neuro Surge
Sciatica Pro
Fluxactive
EyeFortin
Neurodrine
It was a great informative post. Proceed many Useful and enlightening links. Loved your writings also. Concept of this subject was well discussed.
Gluco Berry
Nu Nerve
Audifort
Flushfactor
Quietum Plus
Sleep Lean
Ikaria Juice
Mitolyn
Prime Biome
Sugar Defender
You’ve done it, and beautifully! I’m raising my glass of tea to you in celebration of this enormous achievement!.
SlimCrystal
HerpaFend
TotalControl24
Pyramid Wealth Frequency
Peak BioBoost
Prime Biome
Resurge
MetaboFlex
Plantsulin
Nice information. Thanks for sharing this informative blog with us. I really need this type of blog and I’m so lucky to found this. also visit
Alpha Surge
Urinoct
JointVive
VertiAid
NeuroPrime
DigestSync
Arialief
Neuro fortis Pro
VenoPlus 8
Ageless Knees
Our students get live trading experience with one-to-one mentoring and top-of-the-line facilities, technology and educators.
VitaSeal
Leptozan
Revitag
Oradentum
NanoDefense Pro
SeroBurn
Renew Dental Support
Prosta Peak
Gluco6
Igenics
Most of the traders don’t follow the trend, they try to sell or buy on market sentiment which is risky. To know the market trend trader should learn the technical analysis course.
Alpha Surge
Sugar Defender
Zencortex
HepatoBurn
LungExpand Pro
Breathe
MetaNail Serum Pro
Nerve Revive
NanoDefense Pro
This is the common mistake in share market they don’t know the trend of the market. Trading against the trend is highly risky.
VITALS STORE
Prodentim
Java Burn
Vertigenics
AquaSculpt
Prostavive
Claritox pro
Titan Flow
Pineal Guardian
This was a very useful article.
Also take a look at Learn Data Science vs Data Analytics.
Loved this! Explains things in a simple way. For anyone looking to compare data fields, here’s a useful link: Data Science vs Data Analytics.
For developers who want to build a strong foundation in backend security and real-world application development, this guide on 👉 Best Full Stack Developer Course is a great resource to gain practical experience.
This was a really helpful read. I appreciate the effort you put into explaining everything. Also sharing this useful link: Best Full Stack Developer Course. Thanks!
Posts like this are valuable because they encourage developers to rethink assumptions and stay updated with current best practices in security.
For developers who also want to improve how their applications look and feel while building secure systems, this
Figma UI UX Course
is a great resource to build strong UI/UX skills and create better user experiences.
I appreciate the effort put into this post and the helpful Data Science Course in Coimbatore and How to Learn Data Analytics.
Good course to explore Social Media Marketing Course
Sunsenz solar, one of the best solar company in Kerala
This could be a great start Data Science Course with Placement
Very informative article, thanks for sharing.
I like how you explained everything step by step.
It makes learning easier.
I’ve been looking for good resources.
Data Science Course with Placement
Worth checking out.
If you are planning to move into the cloud domain, I highly recommend starting with a structured program. This AWS Training in Electronic City is excellent because they focus purely on industry-standard projects and VPC configurations.
ওমরাহ প্যাকেজ
If you are serious about becoming a data professional in 2026, you need more than just theory. This structured Data Science Course in Electronic City provides hands-on experience with real-world datasets which is a game changer.
Post a Comment