[tyho]

Impressive stuff. One of the features of the winner is that you can offload the expensive computation to a client and still maintain the security you would have if it were done on the server. This should hopefully persuade people to use slow hash functions where they otherwise would not due to performance concerns.

[ultramancool]

It also allows client-independent strengthening of the hashes, so you don't have to wait for users to login again to be able to increase the strength of all existing hashes.

[CWuestefeld]

That's a pretty compelling feature.

[nly]

This is trivial to achieve with any hash function.

[riquito]

AFAIK you store the hash along the algorithm/parameters you used to generate it. To update the hash you wait for the user to log in and...

1. check if the stored hash is identical to the hash you generate on fly using the old algorithm

2. create a new hash using the new algorithm and substitute both the old hash and the old informations about the algorithm/parameters

What's the trivial way to achieve it without the user logging in?

[kijin]

GP might be thinking of cases where the Nth iteration of the hash is only based on the salt and the result of the N-1st iteration, rather than on the original passphrase.

I'm not aware of any currently recommended algorithm that does this, though. The original passphrase usually goes into each and every iteration, not just the first round.

[mankyd]

Hash your existing hash with a more powerful algorithm.

[nly]

Exactly, it's hacky, but Scrypt'ing your ancient MD5 databases is better than sitting on your ass and being caught with your pants down when your database gets dumped on pastebin or a Russian forum

[nullc]

Being able to have the client (which knows the password it offered) do this computation isn't something super special though-- it's something that could be done fine with pbkdf2-- for example.

If fancy client support is really an option it would usually be better to use a zero-knoweldge authentication protocol (like SRP), though one of these KDFs could be used as a preprocessing step.

[baby]

> One of the features of the winner is that you can offload the expensive computation to a client and still maintain the security you would have if it were done on the server

Can't you do that with any password hashing alg?

[AngrySkillzz]

Yeah, I've heard it called "server relief." Slow password hash is computed on the client, then transmitted to the server and run through a fast hash before being stored.