PBKDF2 password hashing as in ASP.NET Core
Yves Goergen
nospam.list at unclassified.de
Sun Aug 30 23:47:24 EEST 2020
I'm not an expert at this, I just read other sources that make
suggestions. I have no strong comparison of SHA2 and PBKDF2. So my "<<"
may be exaggerated. The most important points today seem to be
resilience against GPU and ASIC attacks. Those devices have only little
memory to work with. SHA2 is said to be designed to use very little
memory which only leaves the CPU load as defence. This can be
compensated by massive parallelisation, as in GPUs.
Neither SHA2 nor PBKDF2 should be resilient against GPU attacks. This is
where the other algorithms are better because they introduce bigger
memory requirements.
I'll probably look into PAM authentication and see if I can get my own
module into there somehow. This should be the most versatile method to
provide secure authentication for all services. At least Dovecot, Exim
and ProFTPd support PAM.
-------- Ursprüngliche Nachricht --------
Von: Aki Tuomi <aki.tuomi at open-xchange.com>
Gesendet: Sonntag, 30. August 2020, 19:27 MESZ
Betreff: PBKDF2 password hashing as in ASP.NET Core
In case you are interested,
https://wiki.dovecot.org/HowTo/ConvertPasswordSchemes
By the way, I am bit sceptical that CRYPT-SHA512 is less secure than PBKDF2.
CRYPT-SHA512 is not "just" SHA512(salt||password), it does at least 1000
rounds of hashing in similar way as PBKDF2 does. So, what is your
reasoning for claiming that PBKDF2 is much secure than CRYPT-SHA512?
Also, if you look at hashcat cracking speeds, you'll see that the speed
of cracking is slower for CRYPT-SHA512 than for PBKDF2-SHA512. See
https://github.com/siseci/hashcat-benchmark-comparison/blob/master/1x%20GTX%201080%20TI%20hashcat%20benchmark.txt
Aki
More information about the dovecot
mailing list