...

/

Strong-ish Password Hashing

Strong-ish Password Hashing

Get introduced to a couple of special-purpose password hashing algorithms: PBKDF2 and bcrypt.

Password hashing algorithms

Salted hashes have several nice properties. The only problem is the speed an attacker can test guesses. They would be much more secure if they took more time. Here’s our dumb hash algorithm again, but now it repeats some number of times:

Press + to interact
def dumb_hash_count(count, value):
sum = 0
for i in range(count):
for b in bytes(value, 'utf-8'):
sum += b
return sum
print("count=123: %d" % dumb_hash_count(123, "apple"))
print("count=1000: %d" % dumb_hash_count(1000, "apple"))

Of course, this isn’t a real password hashing algorithm, but notice that anyone who tries to skip an iteration will get the wrong answer. Additionally, a count of 1,000 requires 1,000 times more processing power for each password guess than the original algorithm. Processing power costs an attacker real money, so making them spend 1,000 times more can be an effective deterrent. However, everything has a trade-off, and you’ll have to pay for this, too.

bcrypt

...