[stephendicato]

To add to that, bcrypt is not the best recommendation if choosing a password hash today. In theory they should be adopting Argon2 (or maybe scrypt).

In practice, I suspect that either the bindings for Argon2/scrypt don't exist or aren't easily adoptable given their use of ColdFusion. They do exist in Python.

Either way, it seems like a sub-optimal decision.

[technion]

    they should be adopting Argon2

I'm saying this as a proponent of Argon2, who has invested a lot of time trying to improve the codebase[0].

It currently isn't ready in large production. Efforts to stabilise the API are being spearheaded by someone apparently outside the project[1]. If you're reading this @lucab, thank you.

In the meantime, my Ruby bindings have been broken on three separate occasions due to API changes. You could easily say "Don't track master", but the one release has a tag of 20151206, and it's just an arbitrary a tag as any particular commit id. There is no branch from which you could apply "bugfix only" updates.

Two separate commits broke compilation. This commit[2] was a shambles.

Most importantly, they have commits going in two days ago that change the test vectors[3]. That means if you update your library, verifying existing passwords breaks. The hash identifier doesn't change ( in the way that bcrypt had $2, then changed it to $2a then $2y when they changed the algorithm) which means you can't just write an "upgrade hash" function. I can't find any documentation relating to this change.

It's important to note that none of this means your passwords are easily broken, or that it's insecure, which is the implication I often see thrown around when discussing Argon2 being "new".

[0] https://github.com/P-H-C/phc-winner-argon2/commits/master?au... [1] https://github.com/P-H-C/phc-winner-argon2/issues/61 [2] https://github.com/P-H-C/phc-winner-argon2/issues/87 [3] https://github.com/P-H-C/phc-winner-argon2/commit/37e031213e...

[mnordhoff]

All three are good choices, with their own advantages and disadvantages. Argon2 may be clearly the best choice a few years from now, but both the algorithm and software implementations are immature. It's makes sense to be conservative and go with the more battle-tested options.

(Also last I looked Python has no good scrypt bindings.)

https://paragonie.com/blog/2016/02/how-safely-store-password... https://news.ycombinator.com/item?id=11118720

[stephendicato]

You're right. I agree. In practice I'd heavily weight the decision based on whatever is best supporting in the Python libraries they are adopting.

[monster2control]

Just an FYI, NIST still recommends SHA-2 for password hashing, they still don't see enough benefit from Bcrypt with the advent of super fast ASIC and FPGAs. Scrypt and Argon2 are too immature. Coldfusion isn't a reason for not using either as cold fusion can run any Java code very easily. Python can run C code easily. So bindings for any language is never a reason as long as you know how to use your tools. Bcrypt does add some extra benefits over SHA-2 for typical offline password hacking. So it's still a good step. It would be foolish to go with Agon2 as it only won the Password Hashing contest a little over 6 months ago. Bcrypt has been found to be solid for other 15 years now and has had tons of eye balls on it. Scrypt has had issue in the past and hasn't been nearly as scrutinized as Bcrypt. The fact of the matter is, the good guys aren't working as hard as the bad guys when it comes to good security.