commit a050da2b5e8711311b72b625ef5b0e78b497db69
parent 4397e3ba38deb84ef080b52531eeb453df4ef419
Author: Jackson G. Kaindume <seestem@merely.tech>
Date: Thu, 18 Aug 2022 01:34:28 +0200
add more info
Diffstat:
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/doc/password-hashing.md b/doc/password-hashing.md
@@ -18,26 +18,26 @@ A cool way to prevent this type of leak is by __obfuscating__ the
users password with a [__hash function__](https://en.wikipedia.org/wiki/Hash_function).
There are lots of hash functions that can be used, but most of these
-are not recommended. For example if you use SHA-256 or other
+will be a bad idea to use. For example if you use SHA-256 or other
computationally cheap (hash function without a __work factor__
-parameter) functions, they are vulnerable to dictionary attacks.
+parameter) functions, they are vulnerable to rainbow table attacks.
Bruteforce is also possible if the password length is short/known,
asic miners can generate 100 TeraHashes PER Second.
The server can increase the passwords entropy by concatenating it with
-a random string. Users can also protect themselves by using longer
-passwords.
+a random string aka the __salt__. Users can also protect themselves
+by using longer passwords.
-The best method to use against plaintext password leaks and dictionary
-attacks is to use a __Password Hash Function__. Which is a hash
-function specially designed to be slow/expensive to compute which
-makes it impossible to bruteforce with current machines.
+The best method to use against plaintext password leaks and rainbow
+table attacks is to use a __Password Hash Function__. Which is a hash
+function specially designed to be slow/expensive to compute even on
+specialized hardware.
## Scrypt [recommended]
-The [scrypt](https://en.wikipedia.org/wiki/Scrypt) hash function uses large amounts of memory when hashing
+The [scrypt](https://www.tarsnap.com/scrypt.html) hash function uses large amounts of memory when hashing
making it expensive to scale to the point of reasonable bruteforce
-attacks.
+attacks. Secure against hardware brute-force attacks.
A number of cryptocurrencies use __scrypt__ for proof of work.
@@ -46,7 +46,8 @@ Created by Colin Percival of [Tarsnap](https://en.wikipedia.org/wiki/Tarsnap)
## Argon2d [recommended]
The [Argon2d](https://en.wikipedia.org/wiki/Argon2) function is
-designed to resist GPU cracking attacks.
+designed to resist GPU cracking attacks. Secure against hardware
+brute-force attacks.
It is the winner of [Password Hashing Competition](https://www.password-hashing.net/).
@@ -55,12 +56,15 @@ It is the winner of [Password Hashing Competition](https://www.password-hashing.
[Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) is based on the
[blowfish](https://en.wikipedia.org/wiki/Blowfish_(cipher)) cipher.
+Vulnerable against hardware brute-force attacks.
+
## PBKDF2
[PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) is an key derivation
function with a sliding computational cost to reduce bruteforce
search.
+Vulnerable against hardware brute-force attacks.
## Conclusion
