Categories
Posts

Password Hashing Examples

Paragon Initiative has put together a post with examples of how to use bcrypt & scrypt in PHP, Java, C#, Ruby, Python, and NodeJS. Most of the code examples are only a few lines long, making them easy to follow.

They had picked bcrypt as their standard example, with scrypt as the next alternative, based on their preferred algorithm list:

Although there is disagreement about how to rank them, cryptography experts agree that these algorithms are the only ones you should be using to store passwords in 2016:

– Argon2, the Password Hashing Competition winner.
– bcrypt
– scrypt
– The other Password Hashing Competition finalists ( Catena, Lyra2, Makwa, and yescrypt )
– PBKDF2 ( nearly everyone except FIPS agrees this is the worst of the acceptable options )

I’ll give Argon2 a few years of real world exposure before I’d consider it for the number one spot. Until then I agree that bcrypt is good default approach. For caveats on that see their “Why prioritize bcrypt over scrypt?” section.

For new systems this should be an easy thing to do ( you’ve already got code examples now! ). And converting old systems isn’t necessarily complex, most of the time will be spent testing.