[s0xxx]

Quote:

In the context of hardware brute-force attacks, scrypt is thousands of times more secure than existing "best practice" solutions such as bcrypt and PBKDF2; in fact, under reasonable assumptions it is provably as strong as possible. In addition to the key derivation function itself, I have released a simple file encryption utility which is approximately 100 billion times more secure than openssl enc, due to OpenSSL using MD5 as a key derivation function.

http://www.daemonology.net/blog/2009...erivation.html

Later in the comments Colin said:

Quote:

Drepper's SHA crypt is actually weaker than bcrypt where hardware brute force attacks are concerned, since blowfish (and thus bcrypt) requires a larger die area than SHA256 or SHA512.

I'm planning on talking to Drepper about scrypt and investigating whether scrypt can be brought into linuxes and BSDs as a standard method for password hashing.

Colin Percival, Stronger Key Derivation via Sequential Memory-Hard Functions, presented at BSDCan'09, May 2009.
Conference presentation slides: PDF.