password-hashes icon indicating copy to clipboard operation
password-hashes copied to clipboard

Published 20 hours ago verified publisher icon RustCrypto

Differences to hashes

Open TheAlgorythm opened this issue 4 years ago • 5 comments

Please clarify in the README's why this crate is recommended for passwords. This surprises me especially as this crate, as far as I know, doesn't support pepper. Therefore, I am interested if there is a security reason to not use something like Blake2b or if it makes it only easier to do everything right.

TheAlgorythm avatar Jul 24 '21 09:07 TheAlgorythm

The toplevel README links to the OWASP Password Storage Cheat Sheet, which should answer all of your questions. Namely it covers:

We previously considered maintaining more extensive documentation for this (#48) but decided the OWASP guide already covered all of this information. However, perhaps we could feature it more prominently.

tarcieri avatar Jul 24 '21 13:07 tarcieri

The only downside of hashes I see is that it doesn't support Argon2. But then I don't see an architectural benefit in using this as I can't use PasswordHash with verify_password since the hash needs to be HMACed. So with a pepper it's even a bit more complicated. Maybe it would be possible to implement a pepper with MAC here?

TheAlgorythm avatar Jul 24 '21 13:07 TheAlgorythm

Adding support for pepper to the password-hash crate is an interesting suggestion. Maybe make a feature request for it on https://github.com/RustCrypto/traits ?

tarcieri avatar Jul 24 '21 13:07 tarcieri

Yeah, I can do that. But I am not sure wether it should be more a separate trait or an extension to the current system?

TheAlgorythm avatar Jul 24 '21 14:07 TheAlgorythm

It could be part of the existing traits

tarcieri avatar Jul 24 '21 14:07 tarcieri

Discussion moved to https://github.com/RustCrypto/traits/issues/694

tarcieri avatar Mar 05 '23 01:03 tarcieri