How To Safely Store A Password

I disagree wholeheartedly. The article is based around the fallacy we've seen time and time again, of throwing more cryptography at a problem that cryptography alone cannot solve. In the end, a crappy password is a crappy password. Successfully discouraging your users from using a crappy password has much better repercussions (for the user, for you, and for the web in general) than switching from a hash-based authentication system to bcrypt. Use bcrypt for additional security, but do not use it in an attempt to solve the problem of crappy passwords that the article falsely claims bcrypt solves.<p>To be more technical, bcrypt, like PBKDF2 and other schemes of that nature, add a significant amount of additional computation by iteratively applying a primitive, but still maintain a relatively small circuit size (in comparison to the primitive itself, which is usually designed to fit onto smart cards and the like). Creating and using algorithms which are "memory-hard" or require larger circuits reduces the number of circuits one can place on some area of silicon and drives up the cost of an attack. In other words, mounting an attack on bcrypt or PBKDF2 is still cheaper and potentially much faster than we'd like it to be (which is the reason those algorithms are "tunable"--you scale the number of iterations up as computers become faster). This, along with some example memory-hard functions was the topic of Percival's paper, "Stronger Key Derivation via Sequential Memory-Hard Functions," which correctly cites Bernstein as the source of emphasis on practicality in measuring an attack not by computational complexity, but the cost of launching the attack. See <a href="http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf" rel="nofollow">http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pd...</a> if you're interested in reading further.

But wait. What if I use a <i>64 bit salt</i> and then AES-encrypt the password with a key I store half on my server and half in a cookie I send to the user and then they'd have to <i>break AES</i> to get my passwords? How about <i>that</i>, Coda Hale?

I am a crypto noob, so please excuse me if I sound stupid. But why not force your users to pick a password that is at least 8 characters and contains at least one digit, one capitalized letter, one lowercase letter and one special character, then gen a 16-byte salt and run it through SHA-512? The examples given in the article are for 6 lowercase alpha-only characters, which has always been relatively trivial to crack.<p>This brief article I found from 30 seconds in google shows my example at the bottom ('96 characters'): <a href="http://www.lockdown.co.uk/?pg=combi" rel="nofollow">http://www.lockdown.co.uk/?pg=combi</a><p>I acknowledge that bcrypt seems like a simple safeguard against password attacks, but I don't doubt a hacker's ingenuity in developing a method to make attacks against it reasonable - especially if it becomes widely adopted. And I think once you've lost your password database you're already completely fucked, in one way or another.

So say we tone it down to a more feasible 0.01 seconds per hash, or to put it another way, 100 requests per second. That's only 4.8 months to crack that password. There'll certainly be future hardware advances, plus GPUs could be used to bring that down. And you can be sure someone used "password" or "123456".<p>Moral of the story: use long and multiple passwords.

I haven't seen this link on this thread yet so here we go:<p><a href="http://people.redhat.com/drepper/sha-crypt.html" rel="nofollow">http://people.redhat.com/drepper/sha-crypt.html</a> Ulrich Drepper's implementation of a work factor in SHA password hashing. He addresses a popular article on bcrypt() and how using SHA allows one to follow NIST guidelines and still have the advantage of a time-consuming algorithm.<p><pre><code> me@myhost ~/ :) time perl -le'print crypt("some-password","\$6\$rounds=900000\$myrandomsalt")' $6$rounds=900000$myrandomsalt$O4u/Z5FRNBi3fw6YhAM1V1hC1LAawq9Ri65Kx77GchzOWieXeRs6w83bYqotyqBcz.WE29NygNli93dBDAbpt/ real 0m3.996s user 0m3.990s sys 0m0.005s </code></pre> If someone could comment on this in comparison to bcrypt I would appreciate it. Why should we use bcrypt if this exists in modern crypt() implementations?

A nice post, but it could use some more explanation about designing password hashes.<p>For example salt + iterative hash works extremely well too, that's what is done in the OpenPGP format (<a href="http://www.ietf.org/rfc/rfc4880.txt" rel="nofollow">http://www.ietf.org/rfc/rfc4880.txt</a> - 3.7.1.3 Iterated and Salted S2K).

We implemented http digest authentication (<a href="http://en.wikipedia.org/wiki/Digest_access_authentication" rel="nofollow">http://en.wikipedia.org/wiki/Digest_access_authentication</a>) in our application for the following reasons: - We needed to securely authenticate users connecting with browsers and rss readers without ssl. - We needed an encryption algo that we could implement in javascript so as to provide reasonably secure login without ssl.<p>Is there any way to do the above while storing bcrypt passwords on the server? Does using bcrypt in these scenarios force you to use https and pass full text passwords to the server?

What is the difference, then, between using bcrypt and iterating MD5 10^6 times?

The problem with using a scheme designed to be computationally intensive is that it doesn't scale. How can I justify 0.3 seconds of computation time if I'm dealing with tens of thousands of connections per second?

It probably still makes sense to salt before hashing. It might take months to crack a password using bcrypt, but is there something preventing a database of bcrypt hashes being built? (serious question)

The article is using a definition of "store" of which I was previously unaware. If you'd like to store passwords (eg, in a keyring or password manager), use GPG.

This is one of the most useful posts on HN in my opinion. It is both very practical and informative.

from the bcrypt page: <i>the other [bit of terrible advice] recommends reversible encryption, which is rarely needed and should only be used as a last resort.</i><p>Why is reversible encryption a terrible idea for passwords?

<i>How? Basically, it’s slow as hell.</i><p>Is that it? bcrypt is good only because it is slow? In that case, why don't we use whatever we like (MD5, SHA1, SHA256, SHA512, SHA-3, etc) and add a <i>sleep(500);</i> just before the call? It is guaranteed to keep up with Moore's law as well!

I really don't want to use this word, but this is <i>retarded</i>. Something like RFC 2898 would be a good starting point for explaining why. <a href="http://www.ietf.org/rfc/rfc2898.txt" rel="nofollow">http://www.ietf.org/rfc/rfc2898.txt</a>