Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 8 Oct 2012 00:13:21 +0400
From: Solar Designer <>
Subject: Re: Password hashing at scale (for Internet companies with millions of users) - YaC 2012 slides

On Fri, Oct 05, 2012 at 07:19:29AM -0500, Richard Miles wrote:
> I would like to take the opportunity to open a discussion if you don't mind.

Sure.  BTW, these slides were also discussed at /r/crypto:

> Based on your slides I guess that the more appropriate recommendation for
> password hashing with salt is to keep using bcrypt since it's strong and at
> the same time stable / well tested. Do you agree?

Sort of.  It's my short-term recommendation for (smaller) orgs who don't
have the resources or/and willingness e.g. to engage Openwall to have us
work on a custom password hashing setup for them. ;-)  Longer-term, we
need to arrive at a universal replacement for bcrypt.  At this time,
attackers' advantage at bcrypt using existing CPUs is only about 2x
(and no advantage from GPUs per-chip yet).  However, next year it's
expected to increase to ~4x for CPUs with AVX2 (it'd be ~8x if we
consider the vector width alone, but the limiting factor may be the 32 KB
L1 data cache), and Xeon Phi is expected to be an order of magnitude
faster than general-purpose CPUs at cracking bcrypt.

(I've addressed your question/comments on Xeon Phi and FPGA pricing in
another reply in this thread.)


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.