Hacker News new | past | comments | ask | show | jobs | submit login

This is the first thing I thought too. I've consistently heard the opposite but am not a cryptographer.

The article Sophos links with regards to an explanation for choosing PBKDF2 over bcrypt or scrypt goes over numerous obviously bad practices like cleartext storage, then states the following, without further detail:

We’ll recommend PBKDF2 here because it is based on hashing primitives that satisfy many national and international standards.

This seems like a vague and probably misguided line of reasoning. What specifically would make that recommendation rational? bcrypt wasn't new in 2010 when NIST published the article recommending PBKDF2, and they haven't made the switch since. Dual_EC_DRBG was recommended by NIST in 2006 which makes me deeply skeptical of anything they say.

If anyone could provide the motivation for choosing PBKDF2 in reasonably terms I'd appreciate it.




The best motivation I've heard is here: http://security.stackexchange.com/a/17088/77002

Essentially, blowfish (Bcrypt) doesn't appear to be FIPS-compliant, so if you have to be FIPS-compliant, you use PBKDF2.

And, considering the rest of the comments about why Bcrypt is preferred over PBKDF2, it appears it's all about how a GPU gives a significant speed-up for PBKDF2 but not Bcrypt. But now there are FPGAs that significantly speed up Bcrypt in similar fashion, so it could all be a wash depending on who you talk to.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: