Choosing the password hashing algorithm

David Whitlock edited this page Sep 7, 2017 · 3 revisions

Choosing an algorithm

The algorithms Argon2, Bcrypt and Pbkdf2 are currently considered to be the strongest password hashing functions.

Argon2 is a lot newer, and this can be considered to be both an advantage and a disadvantage. On the one hand, Argon2 benefits from more recent research. On the other hand, Argon2 has not received the same amount of scrutiny that Bcrypt / Pbkdf2 has.

Argon2

Argon2 is the winner of the Password Hashing Competition (PHC).

Argon2 is a memory-hard password hashing function which can be used to hash passwords for credential storage, key derivation, or other applications.

Being memory-hard means that it is not only computationally expensive, but it also uses a lot of memory (which can be configured). This means that it is much more difficult to attack Argon2 hashes using GPUs or dedicated hardware.

More information is available at the Argon2 reference C implementation repository

Bcrypt

Bcrypt is a key derivation function for passwords designed by Niels Provos and David Mazières. Bcrypt is an adaptive function, which means that it can be configured to remain slow and resistant to brute-force attacks even as computational power increases.

Bcrypt has no known vulnerabilities and has been widely tested for over 15 years. However, as it has a low memory use, it is susceptible to GPU cracking attacks.

Bcrypt versions

This version of Bcrypt is based on the OpenBSD version, and it supports the '2b' (the newer, recommended version) and '2a' prefixes. It does not support the '2y' prefix, which is used by the Openwall version of Bcrypt. However, Bcrypt hashes with the '2y' prefix are meant to be fully compatible with the OpenBSD '2b' prefixed hashes, and so you should be able to change the prefix and then use them with Comeonin / Bcrypt_elixir. More information can be found here.

Pbkdf2

Pbkdf2 is a password-based key derivation function that uses a password, a variable-length salt and an iteration count and applies a pseudorandom function to these to produce a key.

Pbkdf2 has no known vulnerabilities and has been widely tested for over 15 years. However, like Bcrypt, as it has a low memory use, it is susceptible to GPU cracking attacks.

The original implementation of Pbkdf2 used SHA-1 as the pseudorandom function, but this version uses HMAC-SHA-512, the default, or HMAC-SHA-256.

Pbkdf2 output format

The modular crypt format is the default output. Also supported are the output format that Django uses, as well as hex output.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.