[seiji]

scrypt slides: http://www.tarsnap.com/scrypt/scrypt-slides.pdf

Takeaway: Cost to crack one MD5 password: $1. Cost to crack one scrypt password: $50M to $200B.

You want your login to be slow compared to the rest of your application. It's okay to take half a second to verify a login.

[tptacek]

scrypt is better than bcrypt, but not by the same margin that bcrypt is better than salted hashes. Salted hashes are a straight-up vulnerability. bcrypt is a best practice.

Note that almost nobody uses scrypt. We don't recommend it, not because it's insecure, but because it's painful to implement for most companies.

But use either. Or just use PBKDF2. All of the adaptive hashes are fine.

[owenmarshall]

    > All of the adaptive hashes are fine.

I am so glad you say this.

I can't count the arguments I've heard centered around what is The One True Way to store passwords... this topic turns every programmer on the planet into an instant Crypto Expert (TM).

STFU and use one. Hell, glib's crypt() lets you pick any of three computationally expensive schemes, so use one of those.

[StavrosK]

> Salted hashes are a straight-up vulnerability.

I find this a bit of a misnomer. I understand what you mean in context, of course, but, strictly speaking, bcrypt is a "hash", and "salted" is always good.

[tptacek]

What was your goal with this comment?

[StavrosK]

Clarification. Right now we have

> Salted hashes are a straight-up vulnerability. -- tptacek

[JoachimSchipper]

"Salted or unsalted versions of common hash functions (MD5, SHA-1, SHA-2, SHA-3) are not to be used to store passwords."