[cryptography] any reason PBKDF2 shouldn't be used for storing hashed passwords?
Patrick Mylund Nielsen
cryptography at patrickmylund.com
Wed Aug 15 20:30:31 EDT 2012
One curious note is that NIST recommends PBKDF2 for master key derivation,
and specifically write, "The MK [PBKDF2 output] shall not be used for other
purposes." Perhaps the document was meant to document just KDFs. Since the
hashes are one-way anyway, I don't see it making a difference for use as
On Thu, Aug 16, 2012 at 2:15 AM, Jon Callas <jon at callas.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Aug 15, 2012, at 4:50 PM, travis+ml-rbcryptography at subspacefield.orgwrote:
> > * PGP Signed by an unknown key
> > Any reason PBKDF2 shouldn't be used for (storing) hashed passwords?
> My recommendation is that you should use it. It's even got a NIST
> document, now:
> To be the most rigorous, use PBKDF2-HMAC-SHA. It doesn't matter a lot
> which hash function you're using if you're doing the HMAC version. The
> major difference will be the number of iterations. SHA2 is slower than
> SHA1, so you'll use fewer iterations. SHA512 is faster on a 64-bit
> processor than SHA256, which puts a small wrench in things.
> Use lots of iterations. Calibrate them against real time -- enough for
> 100ms or more, for example, rather than a fixed count. If you're worried,
> then add more iterations.
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Universal 3.2.0 (Build 1672)
> Charset: us-ascii
> -----END PGP SIGNATURE-----
> cryptography mailing list
> cryptography at randombit.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography