yescrypt
hmac-bcrypt
yescrypt | hmac-bcrypt | |
---|---|---|
3 | 1 | |
116 | 59 | |
5.2% | - | |
3.4 | 10.0 | |
8 months ago | over 1 year ago | |
C | C | |
- | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
yescrypt
-
Inception: Leaking the root hash from /etc./shadow on AMD Zen 4 [video]
when you look properly at the end of the video the root hash starts with $y$ implying its yescrypt
more info here https://manpages.debian.org/unstable/libcrypt-dev/crypt.5.en...
https://www.openwall.com/yescrypt/
once you have the hash you have to use some rainbow tables if they exist for that hash function or bruteforce it
the authors of yescrypt claim: "Technically, yescrypt is the most scalable password hashing scheme so far, providing near-optimal security from offline password cracking across the whole range from kilobytes to terabytes and beyond. "
in any way, this is a local attack, someone / some software on your local machine would need to execute it so i am not overly stressed, password hashes leak all the time from all different sources
yet, it does worry me because my AMD stock is dropping on value because of this today :D
-
ELI5: why is a password that uses numbers and letters stronger than one with only letters? the attackers don't know that you didn't use numbers, so they must include numbers in their brute force either way.
I believe SHA512 or yescrypt are the favored hashing algorithms.
-
PoS
Ya, yescrypt and also yespower which is a derivative for PoW, does it so we can just use that code or fork it. Also we would need a new idea to keep it CPU viable forever, and I discovered a way to do that, simply increase the required memory size (called memory hardness) with moore's law.
hmac-bcrypt
-
So I created a custom KDF. Bad idea?
Regarding cache-hard KDFs, check out Argon2ds, Pufferfish2, hmac-bcrypt, and bscrypt.
What are some alternatives?
john - John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs
c-hash - LiamLoads is a fast and secure 256-bit hashing function in pure C.
yespower - Proof-of-work scheme building upon yescrypt and scrypt
Argon2 - Memory-hard scheme Argon2
noble-hashes - Audited & minimal JS implementation of hash functions, MACs and KDFs.
bscrypt - A cache hard password hash/KDF
password4j - Java cryptographic library that supports Argon2, bcrypt, scrypt and PBKDF2 aimed to protect passwords in databases. Easy to use by design, highly customizable, secure and portable. All the implementations follow the standards and have been reviewed to perform better in the JVM.
pufferfish - Pufferfish2 password hashing scheme