Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

1. Empirically: most of the applications I reviewed that used bcrypt simply used the defaults.

2. Even with a lower work factor, bcrypt is drastically better than salted SHA.

3. Companies with auth loads so high that they really need to tune bcrypt should also be using dedicated auth servers, which (a) improve security in other ways and (b) allow for a lot of flexibility in handling work factors.



> 1. Empirically: most of the applications I reviewed that used bcrypt simply used the defaults.

Isn't that a security risk of it's own though? Wouldn't creating a rainbow table for (non-salted) passwords hashed with the default bcrypt settings then make sense again?


No.


Why?

Also; if you don't feel like writing a useful response feel free not to respond at all.


Because bcrypt automatically generates and adds a salt every time it's invoked. Every bcrypt hash has a different salt. Hashing the same plaintext ten times will produce ten different hashes.


Ah OK; so the default bcrypt implementation essentially just includes the salt in it's output by definition. Got it.

I thought hashes were deterministic by definition so I was wondering where the required randomness came from.


One of the things that make these password hashing threads astonishingly tedious is that somebody who has never so much as googled "bcrypt" always chimes in with "but what about the rainbow tables???".


There's an XKCD for that: https://xkcd.com/1053/

As far as I'm concerned bcrypt took the term for a concept that is generally understood to be deterministic (hashing) and redefined it by adding the randomness in by default.

That was probably a better call than trying to introduce a new term and a new hashing algorithm at the same time; but it's also asking for the exact long-term confusion you're complaining about here.


That XKCD doesn't really apply here since you could have easily asked for an explanation without the snark in the first place. There's also a difference between making fun of someone for not knowing something and choosing not to engage with them.

> That was probably a better call than trying to introduce a new term and a new hashing algorithm at the same time; but it's also asking for the exact long-term confusion you're complaining about here

To be fair, besides a basic search for information on the subject, this was also covered in the linked article...


He didn't ask snarkily, but we sure are beating this subthread to death. Let's all stop here.


Really? I just reread the article and I couldn't find anything about bcrypt containing the salt as part of its output.

P.S. The XKCD wasn't directed tptacek but at tedunangst who apparently felt my comment made this thread 'astonishingly tedious.'


What term? The paper that introduced bcrypt was titled "A Future-Adaptable Password Scheme". The first result, Wikipedia, calls it "a key derivation function for passwords".


Because bcrypt uses a salt, so a "rainbow table for non-salted passwords" would be utterly useless.


If they're using dedicated hardware, why not use smartcards to salt the hash.

From the article, even 74kh/s is going to tear through a lot of passwords, but with a secure element in the mix, offline attacks go nowhere.


The purpose of a password hash is to protect the password authenticators in the event the database is compromised. If you define away the possibility of a database compromise, just store them in plaintext.


I'm not trying to define away the possibility of a database compromise, I'm integrating a secure element into the hashing scheme that can compute an HMAC without exposing its key.


Wherever you're storing the key, where it's inaccessible to attackers, just store the password.

I'm not even saying that keyed hashes are a bad idea. I'm saying they're orthogonal to the question being discussed on the thread.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: