Like it or not, password authentication remains relevant (including as one of several authentication factors), password hash database leaks happen, the leaks are not always detected and fully dealt with right away, and even once they are many users’ same or similar passwords reused elsewhere remain exposed. To mitigate these risks, computationally expensive (bcrypt, PBKDF2, etc.) and more recently also memory-hard (scrypt, Argon2, etc.) password hashing schemes have been introduced. Unfortunately, at low target latency their memory usage is unreasonably low, up to the point where they’re not obviously better than the much older bcrypt. This is a primary drawback that our yescrypt addresses.

In my talk, I will describe and provide rationale for both scrypt’s sequential memory-hard hashing and yescrypt’s numerous additions to it.

Most notable for large-scale deployments is yescrypt’s optional initialization and reuse of a large lookup table, typically occupying tens of gigabytes of RAM and essentially forming a site-specific ROM. This limits attackers’ use of pre-existing hardware such as botnet nodes. yescrypt’s other changes from scrypt further slow down GPUs, FPGAs, and ASICs even when its memory usage is low (and there’s no ROM), and provide extra knobs and built-in features.

Technically, yescrypt is the most scalable password hashing scheme so far, providing near-optimal security from offline password cracking across the whole range from kilobytes to terabytes and beyond. However, the price for this is complexity, and we recognize that complexity is a major drawback of any software. Thus, at this time we focus on large-scale deployments. For smaller deployments, bcrypt with its simplicity and existing library support is a reasonable short-term choice (although we’re making progress towards more efficient FPGA attacks on bcrypt under a separate project). We might introduce a cut-down yescrypt-lite later or/and yescrypt might become part of standard or popular libraries, making it more suitable for smaller deployments as well.

Alexander Peslyak, better known as Solar Designer, has been into computer security and Open Source for over 20 years. He achieved a number of “firsts” in (anti-)exploitation, founded Openwall, (co-)wrote much of Openwall’s software including John the Ripper password cracker, contributed to third-party projects, runs the oss-security mailing list – among many other past and current activities. Alexander spoke at international conferences: HAL2001, NordU, FOSDEM, CanSecWest, PHDays, and ZeroNights.



[ Slides (PDF) ] [Recording (MP4)] [Recording (OGV)]

Comments are closed.