A Critique of sha256crypt / sha512crypt on GNU/Linux

posted by chromas on Thursday May 24, @01:24PM   Printer-friendly
from the 694a5b3e413a0ac1a7daaba2116966ea356ff40328b556ed14781f2a67e2e909 dept.
Security

canopic jug writes:

Aaron Toponce demonstrates why he thinks that using sha256crypt or sha512crypt on current GNU/Linux operating systems is dangerous, and why he thinks that the developers of GLIBC should move to scrypt or Argon2, or at least bcrypt or PBKDF2. After going into a bit of analysis, he concludes that practically everything else should be avoided, especially md5crypt, sha256crypt, and sha512crypt and many others.

  • (Score: 2) by JoeMerchant on Thursday May 24, @02:00PM (1 child)

    by JoeMerchant (3937) on Thursday May 24, @02:00PM (#683542)

    should move to scrypt or Argon2, or at least bcrypt or PBKDF2. After going into a bit of analysis, he concludes that practically everything else should be avoided

    This is a big red flag saying: be suspicious of bcrypt and PBKDF2. Not that he's wrong, just suspicious.

    • (Score: 2) by FakeBeldin on Thursday May 24, @02:06PM

      by FakeBeldin (3360) on Thursday May 24, @02:06PM (#683545) Journal

      As the fine article points out, bcrypt and PBKDF2 are "CPU hard" (see the article to make that precise).
      Argon and scrypt are both CPU hard *and* "memory hard" meaning that you cannot easily trade off CPU time for memory.

      That's why those two come higher recommended: they offer additional protection against time-memory trade offs, which bcrypt nor PBKDF2 do.

  • (Score: 0) by Anonymous Coward on Thursday May 24, @02:06PM

    by Anonymous Coward on Thursday May 24, @02:06PM (#683546)

    the sort of details that a cryptographer or cryptography expert would pay attention to, as opposed to an end-developer.

    So what's an end-developer?

    Why does it feel like he's associating them with rectal excretions?

