[cryptography] any reason PBKDF2 shouldn't be used for storing hashed passwords?

Patrick Mylund Nielsen cryptography at patrickmylund.com
Wed Aug 15 20:30:31 EDT 2012

One curious note is that NIST recommends PBKDF2 for master key derivation,
and specifically write, "The MK [PBKDF2 output] shall not be used for other
purposes." Perhaps the document was meant to document just KDFs. Since the
hashes are one-way anyway, I don't see it making a difference for use as
"password digests."

On Thu, Aug 16, 2012 at 2:15 AM, Jon Callas <jon at callas.org> wrote:

> Hash: SHA1
> On Aug 15, 2012, at 4:50 PM, travis+ml-rbcryptography at subspacefield.orgwrote:
> > * PGP Signed by an unknown key
> >
> > Any reason PBKDF2 shouldn't be used for (storing) hashed passwords?
> >
> My recommendation is that you should use it. It's even got a NIST
> document, now:
> http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
> To be the most rigorous, use PBKDF2-HMAC-SHA[12]. It doesn't matter a lot
> which hash function you're using if you're doing the HMAC version. The
> major difference will be the number of iterations. SHA2 is slower than
> SHA1, so you'll use fewer iterations. SHA512 is faster on a 64-bit
> processor than SHA256, which puts a small wrench in things.
> Use lots of iterations. Calibrate them against real time -- enough for
> 100ms or more, for example, rather than a fixed count. If you're worried,
> then add more iterations.
>         Jon
> Version: PGP Universal 3.2.0 (Build 1672)
> Charset: us-ascii
> wj8DBQFQLDuusTedWZOD3gYRAt0+AKC0jAKZS40IDBdYelX19y5pQ6zS5gCgpYhI
> dYokIg8zciE7iY5NrXVWkwc=
> =pSLW
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20120816/3ff104c9/attachment.html>

More information about the cryptography mailing list