News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Anthony Ferrara:
Why I Don't Recommend Scrypt
March 13, 2014 @ 10:11:59

Anthony Ferrara has a new post today looking at password hashing and a type of hashing that's beginning to get more attention in the PHP community - scrypt. However, he doesn't recommend it for production password storage and shares his reasoning why.

Scrypt was not designed for password storage. It was designed as a key derivation function for generating keys from weak material (namely passwords). The prime type of attack that scrypt is designed to defeat is ASIC based attackers. It is not designed to try to favor CPU over GPU (and thereby defeat GPU based attacks). It is this fact that we can leverage to gain an advantage when used as a password hashing mechanism.

He covers some of the basic design decisions that were made when scrypt was created. He also points out that none of the results of these decisions are strictly fatal, they just make it a bit weaker than something like bcrypt for password storage. He goes through the basic inputs scrypt requires and includes a quick snippet of code (not PHP, but easy to understand) showing its use. He talks about its "chain of 4 operations" and gets into what he sees as limitations: loop unrolling and the tune-able reduced memory usages. He finishes off the post mentioning that scrypt is still secure, but despite this he doesn't recommend it for password storage specifically.

0 comments voice your opinion now!
scrypt recommend hashing password

Link: http://blog.ircmaxell.com/2014/03/why-i-dont-recommend-scrypt.html

blog comments powered by Disqus

Similar Posts

DevShed: User Authentication and PHP Security

Web Builder Zone: Which PHP framework would you use today for a brand new application?

DevShed: Creating a Login Script for a PHP/MySQL Blogging System (Part 1)

Jeremy Kendall: PHP Password Hashing: A Dead Simple Implementation

Mike Dalisay: Salt, Hash and Store Passwords Securely with Phpass


Community Events





Don't see your event here?
Let us know!


laravel series podcast tips list bugfix deployment zendserver conference interview symfony framework api language development release introduction voicesoftheelephpant community code

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework