[fpc-pascal] is scrypt available?
Jonas Maebe
jonas.maebe at elis.ugent.be
Fri Oct 30 17:06:22 CET 2015
Frederic Da Vitoria wrote on Fri, 30 Oct 2015:
> 2015-10-30 16:39 GMT+01:00 Jonas Maebe <jonas.maebe at elis.ugent.be>:
>
>> Never ever use CRC32 in a crypto context, it's completely unsuited and
>> easily cracked. The subject of this thread is already about finding an
>> implementation for scrypt, which is a (at this time considered) secure
>> hashing algorithm.
>>
>
> My point is precisely that in this situation, there would be nothing to
> crypt. Just check validity.
Yes, that's what *secure* hash functions are for. CRC32 is not secure
in any way. scrypt and bcrypt are secure.
> So use CRC64 if you want (the size difference
> won't probably be relevant by current standards), but don't store the
> actual password. What isn't there can't be cracked, not even with future
> technology :-)
It can already be cracked very quickly with yesterday's technology,
using so-called rainbow tables. Or even just by quickly creating a
hash collision, see e.g.
http://www.irongeek.com/i.php?page=videos/weak-hashing-algorithms-outlook-pst-file-crc32-password-cracking-example or
http://www.woodmann.com/fravia/crctut1.htm
Jonas
More information about the fpc-pascal
mailing list