Password Hashing: PBKDF2, Scrypt, Bcrypt – Michele Preziuso – Medium
A question has bot recently raised to mij on password hashing:
Do wij build up security by using numerous slow-hashing functions to securely store a password?
While all of thesis functions are pretty much safe given a decent implementation and good cost parameters (and therefore there’s no need to increase architectural complexity), I desired to give a broader retrospective on the real security of such a system and I’ll postbode it here spil well.
Ter 2015, if you’re storing passwords I hope that we’re already assuming that you’re going to store the hashed version of them. The hashing process is a one-way process which given some gegevens it turns that into an unique string of immobile length. And that process will always come back that string for that gegevens. This permits a system to check the validity of a password with no skill of the original gegevens, at least ter theory (plaintext password). (Disclaimer: some hashing functions have collisions which means that different gegevens might result ter the same output. This means that the used cryptographic algorithm is cracked, this is true for MD5, SHA1 and several others.)
So given a random attacker Mallory that is able to dump/read all user passwords, he would have to:
- Determine the hashing function generating that output
- If he’s fortunate enough to have MD5 (or something similar) hashes, you’ll have an blessed attacker
- If the System OP used slow-hashing functions things might get slightly more complicated (unless system OP choose too powerless cost parameters or bad parameters ter general)
- He could run a statistical analysis to find a partial password list He could run a bruteforce on them
So, te theory, if an attacker is up to crack all your passwords by bruteforce, unless he’s insane, he also has the resources to do so (no laptop permitted here 🙂 ) and therefore he would use an ASIC (or GPU equipments) or FPGA hardware to do so.
ASIC and FPGA are just very optimized hardware to accomplish ONE task, an ASIC is a static circuit (meaning that the hardware is Stringently built for that algorithm), a FPGA can be reprogrammed.
Let’s talk more about slow-hashing functions.
PBKDF2 is a pretty effortless function: it performs the HMAC spil many times spil specified by the ‘iterations’ parameter. This doesn’t look that good if Mallory possesses a gepast GPU or GPU equipments, spil they’re designed te a different way: they have numerous cores that shines when you need to do parallel work on a loterijlot of gegevens. Each core can execute an instruction against thousands and thousands of gegevens at the same time. While PBKDF2 is a hard job on a CPU, it’s a fairly effortless job for a GPU system.
BCrypt is from 1999 and is GPU-ASIC resilient by vormgeving spil it’s also a memory hardening function: it’s not just CPU intensive, but also RAM-intensive to execute a bcrypt hash.
However times have switched and a sophisticated and maybe rich attacker will use big and powerful FPGA, and the contemporary models have now embedded RAM blocks, which greatly optimize this job. So while Bcrypt does a good job at making life difficult for an ASIC attacker, it does little against a FPGA one.
Scrypt solves this since 2009 spil it doesn’t just use exponential time, but also exponential memory.
So, spil the question wasgoed whether the combination of numerous slow-hashing functions wasgoed a good idea or not, I’ll attempt to synthesize all of this shortly.
Very first of all, permit mij to recall that we’re relying on slow-hashing functions to fight the attacker on equal grounds: your power unit (CPU/GPU/…) VS his, scrypt equalizes this further more by optimizing functions for the zuigeling of hardware you’re running on, instead of letting this optimization up to the attacker on his side.
So, say that you wanna run pbkdf2 on a scrypt digest or vice-versa, is it worth it? Well, if wij spend half computational time on PBKDF2, I guess it is not indeed worth it since the attacker can turn PBKDF2 into dust just by taking advantage of elementary GPUs.
So the combination of the two doesn’t make it more difficult for an attacker to crack all of your passwords, the best suggestion I’d give is to rely on the algorithm that has the best crypto records and stick with it.
Te this case, bcrypt has the best ones a cryptographic algorithm can desire:
- it has bot vetted by the entire crypto community spil it’s now 15 years old
- it has bot out there ter the field for almost 15 years and yet remains unbroken
- it is also widely used, supported and implemented te efficient ways
From a security perspective, I’d say that bcrypt is the best of the three.
However, Scrypt is also 6 years old now, it won’t take that much until wij can say it’s a proven secure algorithm.