[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: crypt(3) interface to scrypt

To: scrypt@tarsnap.com
Subject: Re: crypt(3) interface to scrypt
From: Royce Williams <royce@alaska.net>
Date: Thu, 08 Apr 2010 08:31:39 -0800
In-reply-to: <20100408091348.16efac91@gmail.com>
Mailing-list: contact scrypt-help@tarsnap.com; run by ezmlm
Organization: is made possible by GTD
References: <20100408134443.GA13080@openwall.com> <20100408091348.16efac91@gmail.com>

Robert Ransom wrote, on 4/8/2010 8:13 AM:
> scrypt is a bad idea for website passwords -- tying up a web server's
> CPU for 0.5 seconds just to check a password is silly, and it is
> unlikely to add any security.  (After all, the user just typed the
> password into a browser...)  A web browser could use scrypt to protect
> an SSL secret key, but that is entirely a client-side decision.

Really?  I'm a sysadmin/practitioner, not a developer ... but my
inclination was to move to scrypt for any password storage that I can
control, based on the following:

* scrypt's parameters can be adjusted to find an acceptable turnaround
time for a given use.

* This may be naive of me, but if the web server and application are
(ideally) set up to keep the password safe from prying eyes while in
flight and in use, then isn't the weak link in the chain its storage?

* Since users often use the same password multiple places, keeping any
password as secure as possible is better for the Internet ecosystem as a
whole.

Royce

Follow-Ups:
- Re: crypt(3) interface to scrypt
  - From: Robert Ransom <rransom.8774@gmail.com>

References:
- crypt(3) interface to scrypt
  - From: Solar Designer <solar@openwall.com>
- Re: crypt(3) interface to scrypt
  - From: Robert Ransom <rransom.8774@gmail.com>

Prev by Date: Re: crypt(3) interface to scrypt
Next by Date: Re: crypt(3) interface to scrypt
Previous by thread: Re: crypt(3) interface to scrypt
Next by thread: Re: crypt(3) interface to scrypt
Index(es):
- Date
- Thread