I'd prefer to use the crypt function and use blowfish encryption, but the current implementation of this module uses the hash function, which doesn't offer this encryption method. So, what is the safest algorithm in Kohana's auth module? Would SHA-512 be a good option or am I better off modifying the module to use crypt and blowfish?
+2
A:
From an answer to this stackoverflow question: http://stackoverflow.com/questions/1561174/sha512-vs-blowfish-and-bcrypt
It should suffice to say whether bcrypt or SHA-512 is good enough. And the answer is yes, either algorithm is secure enough that a breach will occur through an implementation flaw, not cryptanalysis.
In other words, it seems wiser to use the somewhat hardened implementation already in Kohana vs. trying to modify the module and potentially introduce new implementation errors.
danieltalsky
2009-12-08 20:50:55
Thanks, although the point shown by Theran below is a good one. Still I think your suggestion is right and I'll use Kohana's built-in module with SHA-512. Thanks again!
amgeex
2009-12-09 05:11:34
+1
A:
It looks like SHA-512 is your best option.
To summarize the linked content from danieltalsky's answer, the bad thing about SHA-512 is that it's fast. It's a fine hash, but SHA-512's speed means that an attacker with a copy of your hashed passwords can make more guesses per second. bcrypt is a much slower hash, so it will take longer to test each guess at the password, and thus longer to find one of your user's weak passwords.
You could go and try adding bcrypt or some form of stretching to Kohana's auth module, but your time is probably better spent making sure your server throttles the rate at which users can attempt to login.
Theran
2009-12-09 04:34:06
Thanks, I know slowness is good on a hashing algorithm, I'll see how it works on the Kohana auth module. Maybe I can slow it down further, but for starters I'll use it as it is. Thanks for the reply!
amgeex
2009-12-09 05:12:33