Secure Password Encryption & Storage

Hi all,

I have been using the method described by Thom McGrath here without issue. It works well and is a great article (I hope it never disappears!).

I have 2 questions regarding this method though :

  1. Does increasing the iteration count make it much harder for a potential hacker to decrypt ? Is this a case of the higher the count the harder it would be ?

  2. It also mentions using 64 bytes of random data. Would it benefit by increasing this to say 128 or 256, making it more difficult to decrypt ?

I have tested performance using increased values for both and there is no performance penalty, so am I gaining a benefit of stronger encryption results by increasing these values ?

I don’t have enough knowledge of encryption to understand if this is the case or not.


Just to clarify, this isn’t encryption because there is no way to work backwards from the result directly to the original. As such, a hacker can only use some brute force technique to check a list of passwords against your results to try to find a match. The longer it takes to check each password, the less likely it will be that he’ll succeed, as long as the original password is also relatively secure.

To be honest, 64 byte salts are already overkill so I would not focus on that. Increasing the iterations is better, and using a different algorithm might be better still. Both bcrypt and scrypt are supposed to be less hardware friendly than pbkdf2, in that order. For this purpose, scrypt is a better fit than bcrypt.

With scrypt, the higher the initial settings, the longer it takes to hash. With any algorithm, you want to shoot for 100 ms at least, but the higher the better. Assume a hacker will have more powerful hardware than you.

Help the user come up with more secure passwords on their end without being draconian about it. Make sure their password is not on, or near, one of the 10k most popular, and maybe use a scoring mechanism that rewards length over other factors.

Thanks Kem.

I just found scrypt after a quick search, it makes for an interesting read.

Its a shame we don’t have scrypt and bcrypt built into Xojo.

You found my M_Crypto package, or something else?

Yes I found your M_Crypto package on github.