[sillysaurus3]

Scrypt isn't badly designd. It's also difficult to misuse.

This is like saying "bcrypt is badly designed."

Note that you are specifically attacking scrypt with the title -- "login.gov encryption" can be substituted with "scrypt."

If you were to say it's illegal for them to be using scrypt since scrypt is not an approved KDF, that would carry more weight.

Cryptographic flaws

1. scrypt is used as password-based KDF, which violates NIST 140-2

This isn't a cryptographic flaw! The phrase "cryptographic flaw" means something.

5. hash(E) is stored right next to the ciphertext from (4). Who thought that storing a hash of the encryption key right next to PII ciphertext encrypted with that key was a good idea?

Storing the hash of an encryption key is fine, as long as the hash function is strong.

It's frustrating that a government website is making solid cryptographic choices and then being lampooned like this. It would be far more productive to make scrypt an approved NIST KDF.

[microcolonel]

If anything, this is an argument to expand FIPS, not an argument to deauthorize login.gov.

[eugenekolo2]

Scrypt isn't battle tested enough tbh.

When it's something as important as this, the proper choice is to use something that's been analyzed, and attacked for numerous years.

[microcolonel]

There are about 3.5 billion dollars riding on scrypt through Litecoin[0], for what it's worth (which is about 3.5 billion dollars, doh!).

[0]: https://coinmarketcap.com/currencies/litecoin/

[sillysaurus3]

Password vulns are a tiny, tiny fraction of modern security vulnerabilities. If it's important, get it pentested. I guarantee no pentest from a reputable firm would flag scrypt as a vulnerability.