Everyone please, no more talking about salting hashes

After LinkedIn etc. sites had recently their hashes exposed everyone got busy writing YASH (Yet Another Salted Hashes) -articles. This is 2012, you should not be talking about salting SHA-1 hashes.

Why shouldn’t you be talking about salting? Because intelligent people have constructed methods which when compared to salting make it look like a case of plaintext vs. md5.

What should everyone be posting about? We should or must be talking about PBKDF2. Yes, it sucks that it’s more difficult to remember than “salt” or “sha-1 salt”; it always takes me a while to find it. Remember, it’s about password transforming to a key, Password-Based Key Derivation Function. I always remember the first letter being about private keys and thus cannot find it.

Anyway, here’s how you use it:

Sadly, I couldn’t find one for fortran in a simple search, but I guess no one uses it to build web applications these days :(

Why should you be using PBKDF2 (or something similar, {s,b}crypt)? Because they are designed to be “not too fast” where as message digests (SHA*, MD5) are designed to perform as fast as possible (among other things). Given the choice of bruteforcing your PBKDF2 based hashes compared to your competitions salted MD5 database your hashes will be left alone for some years to come.

Just use it already! Next!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: