Arnold Reinhold (at Wednesday, December 25, 2013, 8:29:20 PM): > You forgot the most important criteria, parameterizable to not
1, i did not and 2, this is not the most important criteria. the most important is safety. > I'm not aware of any side channel attacks on even individual stored > passwords i'm also not aware of any attacks against pbkdf2, or even a homegrown repeated md5. just because it did not happen so far is not enough to trust the algorithm. > If you are really concerned about side channels, note that scrypt > begins with a PBKDF2 call the exact problem with side channel attacks is that the circumvent other layers, opening other attack routes. > I hope the current KDF competition comes up with better solutions, that is sure, me too. > but that is no excuse for failing to provide strong protection like for example pbkdf2. (let me just stress like the thousandth time that i don't like it. but it is safe, standard, and cpu-hungry.) in comparison, scrypt is better in many situations, while worse or even broken in some other situations. use with care.
