Password hashing: Keccak or not
The winner of the SHA-3
hashing algorithm competition has been selected. Keccak Winner's Algorithm .
I use Blowfish and love it a lot, but Keccak is said to be better. Should I use it to store user passwords on my website?
If so, are there any Keccak implementations for PHP, Python, Ruby, or any other languages used in web programming?
Hope this question helps other people as well. Thank!
source to share
I use Blowfish and really like it, but Keccak is said to be better.
Better is a relative term. Better in what? Security, performance, scalability, portability, ...?
If you want to increase "security" just for hashing user passwords, then Keccak is probably not a good option. Blowfish will give you better "security" as it will take longer to iterate over the hash if the hash is ever found.
Speaking of which, Keccak is a decent option if you're looking for something to work in embedded architecture or want to increase portability. Here is the PHP implementation on github and here is another one You can also make your own language extension by downloading the Keccak source .
But honestly, it's best to stick with what you know. If a hacker can easily get the blowfish hashes you are currently using, the problem is not the hashing algorithm, but the database access. Also note that the PHP extension must be installed on ALL servers using this, which may or may not be possible if you are using a shared host.
In reality, you should probably stick with what you have. This is most likely safe enough, and once the Keccak implementation is ported to the standard PHP core, you can go (then you have to). Just my two cents.
source to share
short answer:
No, and probably never. For hashing passwords, BCrypt and PBKDF2-HMAC-xxx is a better choice than any simple SHA-1/2/3 algorithm. And as long as there are no actual predicate attacks on SHA-1/2, SHA-3 is actually the worst choice, in part because of its speed and low cache size.
longer answer:
The main factor in the relative security of the various password hashing algorithms is: How much faster can a hacker password you have assigned to hackers be extracted? That is, how much faster is their hardware / software combination (acquired with the explicit purpose of hashing passwords) compared to your software on your server (embedded C implementation for software purchased for your application's needs).
One of the main criteria for SHA-3 was that it should work efficiently on embedded architectures that are characterized by small amounts of cache, registers, etc. But it also describes modern GPUs: fewer registers / accumulators, less caching; but on the flip side, their silicon is optimized to work in parallel on large amounts of data. This is perfect for the attacker's brute-force attempts: forever spent on silicon, your attacker gets more SHA3 hashes / sec, buying a different GPU than you, buying a better processor.
For this particular reason, BCrypt was designed to do more read / write operations on a table in memory, which is currently larger than the cache memory of most GPUs. This means the current GPU-based BCrypt implementations are not even accelerating with their processors. Thus, by choosing BCrypt, you slow down your attacker's advantage for every dollar they spend, forcing them to buy processors just like you.
This is why raw speed is the enemy of password hashing. You want to choose an algorithm whose fastest combination of software and hardware offers your attacker the least dollar advantage over the software / hardware you will be using. Right now, that's BCrypt, or a slightly smaller selection of PBKDF2-HMAC-xxx. Since GPUs are likely to be better at SHA3, I doubt this would be the right choice. I don't have numbers in SHA3, but "safer" is not a vaguely relative term - this rule can be used to pinpoint its number.
source to share
This is an old question, but it looks like everyone is confused about encryption terminology again . Make some things clear.
- Keccak is a cryptographic hash function.
- Blowfish is a block cipher (which is a 64-bit block and should no longer be used for encryption).
- Bcrypt is a password hashing function that has a different precedent than a simple cryptographic hash function. Bcrypt is based on Blowfish, but it is not Blowfish.
I'm not just pedantic; these differences are important because Keccak does not compete with bcrypt, it competes with SHA-256.
Here's a simple way to securely store a password in PHP :
- Use
password_hash()
,password_verify()
andpassword_needs_rehash()
What is it. You don't even need to care what these functions do, you just need to use them (unless you are using something like libsodium).
This interface is currently provided by bcrypt. Bcrypt is mostly fine, except for a few foot bullets to keep an eye out for:
- It truncates passwords after 72 characters, which compromises the security of long passwords with low entropy key space per character.
- If you try to bypass the previous leg-bullet by pre-hashing, be careful not to pipe the original binary to bcrypt, because it truncates characters as well
NUL
.
If you are worried about these issues, there is a temporary stop in password_lock .
In PHP 7.2 it will probably be possible to use Argon2i through this interface (subject to RFC passing).
After a few years (around PHP 7.5, without making any major bugs in the release), we can see what PASSWORD_ARGON2I
will become the new meaning for PASSWORD_DEFAULT
, but maybe not. We have several years for crypto researchers to gain trust.
source to share