SAINTCCON 2016 - Aaron Toponce (eightyeight) - Correctly Hashing Passwords

Learn how to correctly hash passwords with Aaron Toponce's talk at SAINTCCON 2016, covering secure password hashing algorithms, threats, and best practices for securing your data.

Key takeaways
  • Improper password hashing algorithms can lead to security breaches
  • SHA-256 and MD5 are no longer secure options
  • Argon 2 is a recommended password hashing algorithm due to its CPU and memory requirements
  • S-Crypt and Bcrypt are popular alternatives, but may not be as secure as Argon 2
  • PBKDF2 is another secure option, but it’s not as efficient as Argon 2
  • Salts should not be used as a secret, and should be stored along with the hashed password
  • IEEE 2898 and NIST publications recommend the use of password hashing algorithms
  • It’s important to consider the cost factor and iteration count when selecting a password hashing algorithm
  • Bcrypt has a limit of 72 bytes, and S-Crypt can have variable parameters
  • Argon 2 has a CPU and memory knob, and is designed to be secure and efficient
  • S-Crypt and Bcrypt are CPU-expensive, but may not be as secure as Argon 2
  • PBKDF2 is designed to be slow and computationally expensive
  • Hashcat is a popular tool for password cracking, and should be used responsibly
  • A “cost factor” (N) should be used to determine the iteration count for password hashing
  • A “work factor” can also be used to determine the iteration count, but it may not be as effective as a cost factor
  • It’s important to consider the adversary’s resources and capabilities when selecting a password hashing algorithm
  • Password hashing should not be handled by the same algorithm as key derivation

More talks

Lucas Hale- Designing user friendly APIs for the NIST Interatomic Potentials Repository | SciPy 2023

Let's Go Quantum - Sam Burns