News Feed

News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Anthony Ferrara:
Why I Don't Recommend Scrypt
March 13, 2014 @ 10:11:59

Anthony Ferrara has a new post today looking at password hashing and a type of hashing that's beginning to get more attention in the PHP community - scrypt. However, he doesn't recommend it for production password storage and shares his reasoning why.

Scrypt was not designed for password storage. It was designed as a key derivation function for generating keys from weak material (namely passwords). The prime type of attack that scrypt is designed to defeat is ASIC based attackers. It is not designed to try to favor CPU over GPU (and thereby defeat GPU based attacks). It is this fact that we can leverage to gain an advantage when used as a password hashing mechanism.

He covers some of the basic design decisions that were made when scrypt was created. He also points out that none of the results of these decisions are strictly fatal, they just make it a bit weaker than something like bcrypt for password storage. He goes through the basic inputs scrypt requires and includes a quick snippet of code (not PHP, but easy to understand) showing its use. He talks about its "chain of 4 operations" and gets into what he sees as limitations: loop unrolling and the tune-able reduced memory usages. He finishes off the post mentioning that scrypt is still secure, but despite this he doesn't recommend it for password storage specifically.

0 comments voice your opinion now!
scrypt recommend hashing password


blog comments powered by Disqus

Similar Posts

Anthony Ferrara's Blog: Properly Salting Passwords, The Case Against Pepper

Chris Hartjes' Blog: Don’t Fear The Command Line: Using CakePHP Shells

Joshua Thijssen's Blog: Password hashing and salting Handling passwords safely in PHP Just Hashing is Far from Enough for Storing Passwords (Dictionary & Rainbow Attacks)

Community Events

Don't see your event here?
Let us know!

framework extension release laravel api community language opinion threedevsandamaybe introduction voicesoftheelephpant series version podcast laravel5 unittest symfony interview security library

All content copyright, 2015 :: - Powered by the Solar PHP Framework