[tptacek]

I don't think it's a good idea for people to adopt new bcrypt constructions so that they can use it to generate cache keys (or, worse, other keys).

(I need that "man standing up in the town hall meeting" meme for this.)

Just use a real KDF, if that's really what you want. I'm still confused what password-derived material is doing in a Redis key.

[petedoyle]

Maybe they wanted some cached data to get invalidated if users change their passwords?

[duskwuff]

Then use some other data which can act as a proxy for that, like the date of the last credential change. Using the password itself is a terrible security smell.

[GoblinSlayer]

By cache they mean cached credentials.

>The user previously authenticated creating a cache of the authentication

Maybe, it's a password encrypted secret token.

[GoblinSlayer]

On the other hand Redis on the server side makes more sense as an LDAP backup, but then mapping should be user id -> bcrypt hash.

[earnestinger]

Could you give an example of real KDF?

[aaronmdjones]

I'm not the person you're replying to, but HKDF and PBKDF2