Menu
I'm looking at ways to securely store passwords. Some people claim that scrypt is "better" than bcrypt, and so far I've seen nobody who claims vice versa or that scrypt is insecure, though some call bcrypt "more reputable".
What's the advantage of scrypt over bcrypt? According to the scrypt website, "the cost of a hardware brute-force attack against scrypt is roughly 4000 times greater than the cost of a similar attack against bcrypt". If that's the only advantage then can't I just use bcrypt with a larger number of rounds?
516
SCrypt is a better choice today: better design than BCrypt (especially in regards to memory hardness) and has been in the field for 10 years. On the other hand, it has been used for many cryptocurrencies and we have a few hardware (both FPGA and ASIC) implementation of it.
However there are far more practical attacks to consider, mainly using GPUs and dedicated hardware. That is where the advantages of argon2 over bcrypt or PBKDF2-SHA1 for instance come into play. Argon2 requires not only CPU but also RAM, while the others hardly use memory.
A lot of your research is correct and still applies in 2021, so it is still secure to use BCrypt (which usually generates its own random salt for each password). Good password hashing algorithms are Argon2, SCrypt and BCrypt, they all offer a cost factor which controls the necessary time.
Scrypt is an update to the same model from which Bcrypt arose. Scrypt is designed so as to rely on high memory requirements as opposed to high requirements on computational power.
With scrypt in addition to increasing computation you can increase the amount of memory needed to compute the hash. This doesn't bother software implementations much but is much harder to implement with hardware - which is what a dedicated attacker is likely to develop and use.
bcrypt (and PBKDF2) use constant, and small, amounts of memory.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
