top | item 4073490

(no title)

Glowbox | 13 years ago

Disclaimer: I am not a cryptographic expert.

https://docs.djangoproject.com/en/dev/topics/auth/

Django by default uses the PBKDF2 algorithm, which is better than nothing/md5/no salt sha1.

I'd use bcrypt or scrypt by default, better be safe than sorry.

discuss

leif|13 years ago

Pbkdf2 is extremely good. Without deeper analysis (or a feature comparison) I'd be hesitant to say that bcrypt or scrypt are better.

tptacek|13 years ago

I sincerely mean no offense but this statement came directly out of your butt. Read the table on page 14 of Colin Percival's Usenix paper "Stronger Key Derivation Via Sequential Memory-Hard Functions" (which you could have found by Googling [scrypt paper]); PBKDF2 is ~5x faster (ie: costs ~5x less to break) than bcrypt; PBKDF2 and scrypt aren't even in the same ballpark.

From exactly where did you derive the idea that PBKDF2 is "extremely good"?

The reality is that all three of PBKDF2, bcrypt, and scrypt are just fine. But PBKDF2 and scrypt have drastically poorer library support than bcrypt; nobody should delay using a strong password hash so that they can optimize which one they use.

ams6110|13 years ago

PBKDF2 is way better than salted hashes. It's right there with bcrypt and scrypt on the "good choices" list.

tptacek|13 years ago

Django has chosen a fine default and for the next several years it's probably unnecessary to second-guess it. Over time, GPU and (more importantly) FPGA-assisted hash cracking may or may not become more common, at which point you'd want to transition to something like scrypt.

You could literally flip a coin to decide between bcrypt and PBKDF2 and it wouldn't matter which side came up.

masklinn|13 years ago

> which is better than nothing/md5/no salt sha1.

It's also better than salted sha1 since it performs multiple iteration rounds leading to (configurable) higher computational complexity.