@mischif
-
(Specifically, bcrypt is better with high user counts, where users can't tolerate high authentication latency. If you have only a few users, and/or they can tolerate authentication lag above a thousand milliseconds ... and you can handle a thundering herd of those ... Argon2, tuned higher, becomes better.)
-
Soatok Dreamseekerreplied to Royce Williams last edited by
@tychotithonus @mischif Here's the skinny:
- Bcrypt is cache-hard, while Argon2 is only cache-hard if you use the non-standard ds variant.
- Bcrypt is not suitable as a KDF (by itself).
I wrote about a lot of these nuances in my blog post, which was linked above in that comment thread.
When I say "cryptographers don't like bcrypt", I mean something very specific:
If you walk up to a cryptographer and say, "I'm designing an authentication system. It uses bcrypt for password hashing." you will get one of two responses:
- "Is there anything preventing you from using Argon2 or scrypt?"
- "Okay. I don't care which you use, as long as it's a password hashing function and not, like, MD5."
Very rarely will you hear, "Okay, yes, thank you for using bcrypt and not scrypt or Argon2."
-
Soatok Dreamseekerreplied to Soatok Dreamseeker last edited by
@tychotithonus @mischif On the note of bcrypt as a KDF:
GitHub - ryancdotorg/bcrypt-ext: Extended bcrypt, increases max work factor and adds keywrap.
Extended bcrypt, increases max work factor and adds keywrap. - ryancdotorg/bcrypt-ext
GitHub (github.com)
This is a fun idea explored by @ryanc that uses a BLAKE2 hash of the final S-box to derive a key.
-
Ryan Castellucci :nonbinary_flag:replied to Soatok Dreamseeker last edited by
@soatok @tychotithonus @mischif I actually computed a crypt hash with a work factor of 32 using that, lol.