Docs
cfPassphraseOverview
• Code
This page gives an overview of the algorithms supported by cfPassphrase, to help you determine if any particular algorithm suits you better.
For information on parameters the different algorithms support and what values you should set them to, see the the Tuning Algorithm Params page.
BCrypt was originally written for use in OpenBSD, and released in 1999 at USENIX, as a replacement for the traditional DES crypt and MD5 crypt hashing functions, both of which have a fixed computation cost.
BCrypt is based on an extension of the Blowfish block cipher named Eksblowfish, and was designed to have an expensive and parametrised computation cost so that it can be incrementally slowed down as hardware speeds increase.
A downside to BCrypt is that it's underlying functions only use the first 72 characters of a passphrase - anything longer is truncated/ignored. To workaround this limitation it is recommended to pass the SHA256 hash of a passphrase to BCrypt, which will ensure its entire length is used.
PBKDF2 is a standard published by RSA Laboratories, written in 2000 to replace the earlier PBKDF1, as PKCS #5 of their Public-Key Cryptography Standard. (It has also been published as RFC 2898.)
PBKDF2 uses the algorithm HMAC-SHA1, an extension of the SHA-1 hashing function, and, similarly to BCrypt, has an increasable number of iterations to combat advances in hardware speed.
The algorithms used by PBKDF2 require CPU only, with very limited memory, making it possible to use fast GPUs to perform brute force attacks, though this is only an issue for short passwords with limited iterations.
SCrypt was written for Colin Percival's Tarsnap online backup service and released at BSDCan in 2009. It was created as a replacement for both PBKDF2 and BCrypt, which both have low/fixed memory cost.
SCrypt allows CPU cost and memory cost to be increased, making it more resilient to attacks using GPUs and integrated circuits.
It is considered by some to currently be too new and as yet unproven, though it has been submitted to the IETF, on its way to becoming a standard.
There are numerous different opinions on the different algorithms that can be used for hashing passphrases, and it would be difficult to summarise them all accurately. Instead, below is a list of links with assorted information which you may find useful if you want more information than is provided on this page.
As always, don't trust the opinion of any one source, but read around the subject and see what different people have to say.
OWASP: Password Storage Cheat Sheet
Recommendations from the Open Web Application Security Project.
IT Security Stack Exchange: How to securely hash passwords?
A thorough overview by cryptographer Thomas Pornin.
Coda Hale: How To Safely Store A Password
Programmer Coda Hale advocates using BCrypt over fast hashing functions.
Unlimited Novelty: Don't use bcrypt
Programmer Tony Arcieri advocates using SCrypt over BCrypt.
IT Security Stack Exchange: Do any security experts recommend bcrypt for password storage?
Cryptographer Thomas Pornin's view on why BCrypt is ok to use.
Coding Horror: Speed Hashing
Programmer Jeff Atwood discusses how quickly hashes can be cracked.
Openwall: Password hashing at scale
Presentation slides by security specialist Alexander Peslyak on considerations when using slow hashing for millions of users.