Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Steve (@sc00bz@infosec.exchange) Profile picture
Steve (@sc00bz@infosec.exchange)
@Sc00bzT
Ramblings of a programmer and cryptography enthusiast. I do stuff… sometimes. Creating @hsmVault… eventually.

Jul 13, 2019, 9 tweets

I've been meaning to do a postmortem on the password hashing competition for probably over 2 years. I wanted optimized defender and attacker code for each algo. So we could make a good choice. We really needed to have an optimization competition with financial rewards.

Also if we auto submitted "pre and post hashed bcrypt" it probably would of made us go "oh shit 'memory hard' is not the way to go it's 'cache hard'". Since a better cache hard algo, like Pufferfish, is better for "≲2.5 second" runs than Argon2 (both tuned correctly).

Pufferfish isn't the best cache hard algo. It too closely aligned to bcrypt: it took the bad parts and didn't improve enough on the good parts. I realize this now after spending a fuck ton of time on "not bcrypt". Now "bs(crypt)" because "BS(PAKE)"… cause self deprecation FTW.

With current CPUs/GPUs and a good cache hard algo using 128KiB to 256KiB is ~5x harder than bcrypt by pushing it to global RAM. This means it pushes "better than memory hard (with correct settings)" from "≲1 second" to "≲2.5 seconds".

As a panelist, I fucked up during the competition. I burnt out breaking the bear one--Makwa which changed just before I was going to post my analysis. So I delayed posting it until I read the changes… but burn out. Makwa is good for only one feature. All other features are *BAD*

battcrypt (mine) sucks (besides trying to be both cache and mem hard) because PHP actually implemented the winner which was super unexpected. Parallel (mine) sucks because it needs special hardware (otherwise better than mem hard w/ ≲4GiB). #needsBenchmarks (also the ≲1, ≲2.5)

This was going to be like 1 or 2 tweets… well originally it was a blog post but lazy. Also #drunk… anyway we should probably have another password hashing competition for a cache hard algo. But this time state input and output are fixed width values like 128, 256, or 512 bits.

Right I forgot to mention there should be wrapper functions for Argon2 called "Argon2Simple" that only takes a cost and "Argon2SimpleKDF" that takes a cost and p. On the back end it does Argon2id, t=3, p=1 (for Argon2Simple), m=16KiB*2**cost*p. This is good for 99% of cases.

I should cc @veorq on this just so he sees it. "Argon2Simple" is important because PHP and KeePass both got this wrong on defaults. KeePass for "1 second delay" does Argon2d, p=2, m=1MiB, t=[enough for 1 second delay] and PHP does/did Argon2i, p=2, m=1MiB, t=2 (changing "soon").

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling