[cryptography] any reason PBKDF2 shouldn't be used for storing hashed passwords?

Jon Callas jon at callas.org
Wed Aug 15 20:15:38 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Aug 15, 2012, at 4:50 PM, travis+ml-rbcryptography at subspacefield.org wrote:

> * PGP Signed by an unknown key
> 
> Any reason PBKDF2 shouldn't be used for (storing) hashed passwords?
> 

My recommendation is that you should use it. It's even got a NIST document, now:

http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf

To be the most rigorous, use PBKDF2-HMAC-SHA[12]. It doesn't matter a lot which hash function you're using if you're doing the HMAC version. The major difference will be the number of iterations. SHA2 is slower than SHA1, so you'll use fewer iterations. SHA512 is faster on a 64-bit processor than SHA256, which puts a small wrench in things.

Use lots of iterations. Calibrate them against real time -- enough for 100ms or more, for example, rather than a fixed count. If you're worried, then add more iterations.

	Jon



-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFQLDuusTedWZOD3gYRAt0+AKC0jAKZS40IDBdYelX19y5pQ6zS5gCgpYhI
dYokIg8zciE7iY5NrXVWkwc=
=pSLW
-----END PGP SIGNATURE-----



More information about the cryptography mailing list