Paragon Initiative has put together a post with examples of how to use bcrypt & scrypt in PHP, Java, C#, Ruby, Python, and NodeJS. Most of the code examples are only a few lines long, making them easy to follow.
They had picked bcrypt as their standard example, with scrypt as the next alternative, based on their preferred algorithm list:
Although there is disagreement about how to rank them, cryptography experts agree that these algorithms are the only ones you should be using to store passwords in 2016:
– Argon2, the Password Hashing Competition winner.
– bcrypt
– scrypt
– The other Password Hashing Competition finalists ( Catena, Lyra2, Makwa, and yescrypt )
– PBKDF2 ( nearly everyone except FIPS agrees this is the worst of the acceptable options )
I’ll give Argon2 a few years of real world exposure before I’d consider it for the number one spot. Until then I agree that bcrypt is good default approach. For caveats on that see their “Why prioritize bcrypt over scrypt?” section.
For new systems this should be an easy thing to do ( you’ve already got code examples now! ). And converting old systems isn’t necessarily complex, most of the time will be spent testing.
2 replies on “Password Hashing Examples”
Like Scott mentions in the article, PBKDF2 should be in the same security camp as md5crypt, sha256crypt, and sha512crypt. All suffer with low memory requirements, simple circuit designs, and as a result, are a password crackers dream with fast GPUs and FPGAs. However, PBKDF2, md5crypt, sha256crypt, and sha512crypt can increase work effort by increasing the number of rounds, before storing to disk. No matter how you dice it, it WILL slow down the cracker. But it compared to bcrypt, really, it’s child’s play.
However, Scott only mentions one problem with scrypt as a password hashing function- improper memory hardness. Turns out, scrypt is a bit more sensitive than that with the time-memory-trade-off (TMTO). See http://www.openwall.com/lists/crypt-dev/2013/03/21/1 and http://www.openwall.com/lists/crypt-dev/2013/03/17/1. TL;DR- don’t recommend scrypt as a password hashing function. Use it for key derivation, however.
You’re also right to sit it out on Argon2. It’s just too new. Let it bake for about 5 years. If at that time, it is still considered sufficiently secure as a password hashing function, then you could start comfortably migrating production to it.
So, for the time being, stick with bcrypt.
Having bcrypt in production systems for years now is a strong point its favor. This is a case where you can’t substitute for the passage of time ( in terms of giving people a chance to look for a weakness in Argon2 ).