Wie speichert man Logins/Passwörter in einer eigenen Anwendung ab? [Update]

Dieser Artikel dient als Link-Sammelung zu den Überlegungen diverser Quellen (geordnet nach Veröffentlichungsdatum).

Eine Erläuterung wie man Passwörter speichern sollte gibt es unter anderem bei NakedSecurity: Serious Security: How to store your users’ passwords safely (November 2013).

Die Essenz von NakedSecurity: Serious Security: How to store your users’ passwords safely:

  1. Users’ passwords should not be recoverable from the database.
  2. Identical, or even similar, passwords should have different hashes.
  3. The database should give no hints as to password lengths.

Zusammenfassung

  • Linux Mint 18.2: crypt mit SHA-512
  • OWASP (2017): PBKDF2, bcrypt, scrypt
  • Python Passlib 1.7.1 (2017): argon2, bcrypt, PBKDF2, crypt
  • Dropbox (2016): bcrypt (mit eigenen Maßnahmen zur weiteren Sicherung der Passwörter)
  • Pargon Initiative (2016): argon2, bcrypt, scrypt, PBKDF2 (als schlechteste Alternative der guten Möglichkeiten)
  • Password Hashing Competition (2015): argon2
  • ircmaxell (2014): bcrypt (nur mit scrypt verglichen)
  • NakedSecurity (2013): PBKDF2, bcrypt, scrypt

Linux Mint 18.2

Nutzt in der /etc/shadow crypt mit SHA-512

OWASP (September 2017)

Use PBKDF2, bcrypt or scrypt for password storage.

Python Passlib (1.7.1) Quickstart (Januar 2017)

There are currently four good choices for secure hashing:

  • argon2
  • bcrypt
  • pbkdf2_sha256 / pbkdf2_sha512
  • sha256_crypt / sha512_crypt

All four hashes share the following properties:

  • No known vulnerabilities.
  • Based on documented & widely reviewed algorithms.
  • Public-domain or BSD-licensed reference implementations available.
  • variable rounds for configuring flexible cpu cost on a per-hash basis.
  • At least 96 bits of salt.
  • Basic algorithm has seen heavy scrutiny and use for at least 10 years (except for Argon2, born around 2013).
  • In use across a number of OSes and/or a wide variety of applications.

While Argon2 is much younger than the others, it has seen heavy scrutiny, and was purpose-designed for password hashing. In the near future, it stands likely to become the recommended standard.

How Dropbox securely stores your passwords (September 2016)

Why not use {scrypt, argon2} over bcrypt?

We considered using scrypt, but we had more experience using bcrypt. The debate over which algorithm is better is still open, and most security experts agree that scrypt and bcrypt provide similar protections.

We’re considering argon2 for our next upgrade: when we moved to our current scheme, argon2 hadn’t (yet) won the Password Hashing Competition. Additionally, while we believe argon2 is a fantastic password hashing function, we like that bcrypt has been around since 1999 without any significant vulnerabilities found.

Dropbox nutzt einen Multistage-Ansatz:

We rely on bcrypt as our core hashing algorithm with a per-user salt and an encryption key (or global pepper), stored separately. Our approach differs from basic bcrypt in a few significant ways.

First, the plaintext password is transformed into a hash value using SHA512. This addresses two particular issues with bcrypt. Some implementations of bcrypt truncate the input to 72 bytes, which reduces the entropy of the passwords. Other implementations don’t truncate the input and are therefore vulnerable to DoS attacks because they allow the input of arbitrarily long passwords. By applying SHA, we can quickly convert really long passwords into a fixed length 512 bit value, solving both problems.

Next, this SHA512 hash is hashed again using bcrypt with a cost of 10, and a unique, per-user salt. Unlike cryptographic hash functions like SHA, bcrypt is designed to be slow and hard to speed up via custom hardware and GPUs. A work factor of 10 translates into roughly 100ms for all these steps on our servers.

Finally, the resulting bcrypt hash is encrypted with AES256 using a secret key (common to all hashes) that we refer to as a pepper. The pepper is a defense in depth measure. The pepper value is stored separately in a manner that makes it difficult to discover by an attacker (i.e. not in a database table). As a result, if only the password storage is compromised, the password hashes are encrypted and of no use to an attacker.

Pargon Initiative (Februar 2016)

Acceptable Password Hashing Algorithms

Although there is disagreement about how to rank them, cryptography experts agree that these algorithms are the only ones you should be using to store passwords in 2016:

  • Argon2, the Password Hashing Competition winner.
  • bcrypt
  • scrypt
  • The other Password Hashing Competition finalists (Catena, Lyra2, Makwa, and yescrypt) PBKDF2 (nearly everyone except FIPS agrees PBKDF2 is the worst of the acceptable options, but is still acceptable)

Password Hashing Competition (2015)

We received 24 candidates, including many excellent designs, and selected one winner, Argon2, an algorithm designed by Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich from University of Luxembourg. […] We recommend that use you use Argon2 rather than legacy algorithms.

ircmaxell’s blog: Why I Don’t Recommend Scrypt (März 2014) (Vergleich von scyrpt und bcrypt)

The answer is, in my opinion, to stick with bcrypt for now.

NakedSecurity: Serious Security: How to store your users’ passwords safely (November 2013)

Choose one of these three well-known ones: PBKDF2, bcrypt or scrypt.

We’ll recommend PBKDF2 here because it is based on hashing primitives that satisfy many national and international standards.

Hashing

BSI TR-02102-1 (Februar 2017)

Nach heutigem Kenntnisstand gelten die folgenden Hashfunktionen als kryptographisch stark und sind damit für alle in dieser Technischen Richtlinie verwendeten Verfahren einsetzbar:

  • SHA-256, SHA-512 / 256, SHA-384 und SHA-512 […]
  • SHA3-256, SHA3-384, SHA3-512

NIST Special Publication 800-107 Revision 1: Recommendation for Applications Using Approved Hash Algorithms (August 2012)

Currently, there are seven approved hash algorithms specified in FIPS 180-4: SHA-1, SHA-224, SHA-256, SHA-384 SHA-512, SHA-512 / 224 and SHA-512 / 256. These hash algorithms produce outputs of 160, 224, 256, 384, 512, 224 and 256 bits, respectively. The output of a hash algorithm is commonly known as a message digest, a hash value or a hash output.

Scrypt

Memory-hard functions (MHFs) are hash algorithms whose evaluation cost is dominated by memory cost. As memory, unlike computation, costs about the same across different platforms, MHFs cannot be evaluated at significantly lower cost on dedicated hardware like ASICs. MHFs have found widespread applications including password hashing, key derivation, and proofs-of-work. This paper focuses on scrypt, a simple candidate MHF designed by Percival, and described in RFC 7914. It has been used within a number of cryptocurrencies (e.g., Litecoin and Dogecoin) and has been an inspiration for Argon2d, one of the winners of the recent password-hashing competition. Despite its popularity, no rigorous lower bounds on its memory complexity are known. We prove that scrypt is optimally memory hard […]

Best Paper Award Eurocrypt 2017: Joel Alwen (IST Austria), Binyi Chen (UCSB), Krzysztof Pietrzak (IST Austria), Leonid Reyzin (Boston University), Stefano Tessaro (UCSB). Scrypt is Maximally Memory-Hard

Update

  • Abschnitt zum Paper “Scrypt is Maximally Memory-Hard
  • Kriterien wie man Passwörter speicher sollte von NakedSecurity hinzugefügt