9

In the question Do any security experts recommend bcrypt for password storage? Thomas Pornin recommends the hashing function scrypt but saying it is "too new to be recommended on a general basis".

Scrypt is from 2009 and I would like to know, if any problems have been found with this function, yet?

Also I would like to know if it's ready for production but I guess that would be opinion based and should only be a side note.

PiTheNumber
  • 5,414
  • 4
  • 21
  • 36
  • 1
    From [this discussion](https://groups.google.com/forum/#!msg/sci.crypt/Wz1hzyZECKs/g6qGHLmPUPYJ) it seems scrypt is demonstrably secure. A better question might be: is there a secure implementation out there? – RoraΖ Jan 09 '15 at 15:14
  • 1
    There are some time-memory trade-offs that can be annoying (GPU pulls ahead of CPU) for low memory instantiations of scrypt. I'm not aware of anything that causes problems for scrypt using a lot of memory. – CodesInChaos Jan 09 '15 at 16:11
  • 1
    Pornin also said in [this very good answer](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846) that if it's been in existence for at least 5 years, it's good, which means you could actually start using it as early as 2014 :). So if you trust him (like I do), go for it. – dnang Jan 16 '15 at 10:05

1 Answers1

4

After 5 month without answer, only comments, I like to sum up:

  • From a discussion in sci.crypt it seems that scrypt is demonstrably secure.
  • Most people on SO trusts scrypt.
  • I have seen no one claimed to have a problem with the algorithm itself.

Regardless there might be issues with the implementation. A straight forward implementation of scrypt is potentially vulnerable to timing attacks but that should not be a problem.

PiTheNumber
  • 5,414
  • 4
  • 21
  • 36