谢宏第一任老婆:How To Safely Store A Password | codahale.com

How To Safely Store A Password

31 Jan 2010

Use bcrypt

Use bcrypt.Use bcrypt.Use bcrypt.Use bcrypt.Use bcrypt.Use bcrypt.Use bcrypt.Use bcrypt.Use bcrypt.

Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}?

These are all general purpose hash functions, designed to calculate a digestof huge amounts of data in as short a time as possible. This means that they arefantastic for ensuring the integrity of data and utterly rubbish for storingpasswords.

A modern server can calculate the MD5 hash of about330MB every second. If yourusers have passwords which are lowercase, alphanumeric, and 6 characters long,you can try every single possible password of that size in around40 seconds.

And that’s without investing anything.

If you’re willing to spend about 2,000 USD and a week or two picking upCUDA, you can put together yourown little supercomputer cluster which will let youtry around 700,000,000 passwords a second.And that rate you’ll be cracking those passwords at the rate of more than oneper second.

Salts Will Not Help You

It’s important to note that salts are useless for preventing dictionaryattacks or brute force attacks. You can use huge salts or many salts orhand-harvested, shade-grown, organic Himalayan pink salt.It doesn’t affect how fast an attacker can try a candidate password, given thehash and the salt from your database.

Salt or no, if you’re using a general-purpose hash function designed for speedyou’re well and truly effed.

bcrypt Solves These Problems

How? Basically, it’s slow as hell. It uses a variant of the Blowfishencryption algorithm’s keying schedule, and introduces a work factor, whichallows you to determine how expensive the hash function will be. Because ofthis, bcrypt can keep up with Moore’s law. As computers get faster you canincrease the work factor and the hash will get slower.

How much slower is bcrypt than, say, MD5? Depends on the work factor. Usinga work factor of 12, bcrypt hashes the password yaaa in about 0.3 seconds onmy laptop. MD5, on the other hand, takes less than a microsecond.

So we’re talking about 5 or so orders of magnitude. Instead of cracking apassword every 40 seconds, I’d be cracking them every 12 years or so. Yourpasswords might not need that kind of security and you might need a fastercomparison algorithm, but bcrypt allows you to choose your balance of speedand security. Use it.

tl;dr

Use bcrypt.

Updated February 24th, 2011

I’ve been getting pretty regular emails about this article for the past year, and I figured I’d address some of the concerns here rather than have the same conversations over and over again.

Isn’t bcrypt just Blowfish? Where do you store the password?

Please read the Provos & Mazières paper. bcrypt is an adaptive password hashing algorithm which uses the Blowfish keying schedule, not a symmetric encryption algorithm.

You said salts aren’t helpful, but what about rainbow tables? Why would you suggest people not use salts?

As the Provos & Mazières paper describes, bcrypt has salts built-in to prevent rainbow table attacks. So I’m not saying salts are without purpose, I’m saying that they don’t prevent dictionary or brute force attacks (which they don’t).

Rainbow tables, despite their recent popularity as a subject of blog posts, have not aged gracefully. CUDA/OpenCL implementations of password crackers can leverage the massive amount of parallelism available in GPUs, peaking at billions of candidate passwords a second. You can literally test all lowercase, alphabetic passwords which are ≤7 characters in less than 2 seconds. And you can now rent the hardware which makes this possible to the tune of less than $3/hour. For about $300/hour, you could crack around 500,000,000,000 candidate passwords a second.

Given this massive shift in the economics of cryptographic attacks, it simply doesn’t make sense for anyone to waste terabytes of disk space in the hope that their victim didn’t use a salt. It’s a lot easier to just crack the passwords. Even a “good” hashing scheme of SHA256(salt + password) is still completely vulnerable to these cheap and effective attacks, thus the importance of an adaptive hashing algorithm like bcrypt.