1

So I have been working on password storage, especially on the algorithms to use (and to not use).

Most people are recommending scrypt or PBKDF2 for valuable reasons, but I have not seen any talks about the sha_crypt algorithm so far. What are the pros and cons of using this algorithm, and why do people prefer bcrypt/PBKDF2/scrypt to it?

Anders
  • 65,052
  • 24
  • 180
  • 218
Melt
  • 13
  • 4
  • 4
    Welcome on Security SE. You will most likely find your answer in this thread: [How to securely hash passwords?](https://security.stackexchange.com/q/211/32746), in particular in the area following *"A basic hash function, even if secure as a hash function, is not appropriate for password hashing, because:"*. – WhiteWinterWolf Jun 21 '16 at 12:53
  • @WhiteWinterWolf Thanks, I know "the basics" of what a good password hashing algorithm is.Could you tell me, then, why is it still used in Unix systems if it's not appropriate ? – Melt Jun 21 '16 at 14:24
  • Because it is more modern, therefore less compatible. Not all Unix already support it: BSD variants do, some Linux do but it is not widespread yet. Even when the option is available, due to the non reversibility nature of hashes, it is not possible to migrate SHA hashes to a more secure storage automatically so it may take some time until all people using a server have renewed their password. At last, hashes may also be used also by other services on the server for authentication purpose, and while the server may support more modern hashes this service may not support them yet. – WhiteWinterWolf Jun 21 '16 at 14:49

1 Answers1

0

SHA256crypt and SHA512crypt was described by Ulrich Drepper here. He provides an algorithm and implementation, but unfortunately not a security analysis, any proof that this algorithm is secure, or any insight in his design decisions. This makes it hard to analyze the security of the algorithm.

The algorithm is pretty much like PBKDF2, in that it performs many iterations of a hash. Like PBKDF2, it does not require a lot of memory to compute. This means that it can easily be computed on hardware with many cores with little memory, such as GPUs.

Scrypt and bcrypt were specifically designed to need some memory when computing them, which means they are better resistant to parallel computation on specific hardware.

Sjoerd
  • 28,897
  • 12
  • 76
  • 102