Closed GoogleCodeExporter closed 9 years ago
No one should be using bcrypt for hash tables, which is what Hashing is for.
Original comment by tavianator@gmail.com
on 24 Sep 2014 at 6:27
Hashing is not only (or even primarily) for hash tables:
https://code.google.com/p/guava-libraries/wiki/HashingExplained
Original comment by cgdecker@google.com
on 24 Sep 2014 at 6:39
Bcrypt is one of the three good password hashing schemes -- md5() or sha256()
are outdated and insecure.
https://password-hashing.net
http://security.stackexchange.com/questions/4781/do-any-security-experts-recomme
nd-bcrypt-for-password-storage
http://codahale.com/how-to-safely-store-a-password/
Original comment by sebastia...@gmail.com
on 24 Sep 2014 at 7:03
> sha256() are outdated and insecure.
That's pure nonsense. SHA-256 is still rather modern (SHA-3 is out, but it'll
take years) and secure HASH FUNCTION.
bcrypt is NO hash function, it's a key derivation function. Using hash
functions as a KDF is insecure, no matter how good the function.
A KDF is no com.google.common.hash.HashFunction as it always needs a salt. This
is can be an additional input[1] or generated randomly[2]. Fitting it to the
interface by fixing an argument would be a very stupid idea. Allowing a hash
function to behave randomly would be no smarter.
I'm not saying that it doesn't belong to Guava, I'm just saying that it doesn't
belong to the hash package. No HF is a KDF and vice versa.
[1]:
http://docs.spring.io/autorepo/docs/spring-security/3.1.7.RELEASE/apidocs/org/sp
ringframework/security/crypto/bcrypt/BCrypt.html
[2]:
https://github.com/wg/scrypt/blob/master/src/main/java/com/lambdaworks/crypto/SC
rypt.java
Original comment by Maaarti...@gmail.com
on 25 Sep 2014 at 12:55
This issue has been migrated to GitHub.
It can be found at https://github.com/google/guava/issues/<issue id>
Original comment by cgdecker@google.com
on 1 Nov 2014 at 4:08
Original comment by cgdecker@google.com
on 1 Nov 2014 at 4:17
Original comment by cgdecker@google.com
on 3 Nov 2014 at 9:07
Original issue reported on code.google.com by
sebastia...@gmail.com
on 17 Sep 2014 at 12:34