Good hashing for passwords

Discussion about programs, libraries and tools that work with MicroPython. Mostly these are provided by a third party.
Target audience: All users and developers of MicroPython.
Post Reply
iBobik
Posts: 7
Joined: Tue Dec 13, 2016 1:11 pm

Good hashing for passwords

Post by iBobik » Thu Apr 25, 2019 10:10 pm

As an web devoleper I just know that we should use something like Bcrypt or Argon to keep passwords safe.

Are there some hashing algorithms good enough for passwords available on ESP8266?
Are there some tricks how to increase difficulty to the comparable level with just using SHA256?

User avatar
jimmo
Posts: 2754
Joined: Tue Aug 08, 2017 1:57 am
Location: Sydney, Australia
Contact:

Re: Good hashing for passwords

Post by jimmo » Sat Apr 27, 2019 12:11 pm

Many of these ciphers need quite a lot of ROM, e.g. (e.g. Blowfish used by Bcrypt) needs a few kilobytes of digits of pi for the p-array and s-boxes. This might make them unlikely to ever appear by default in micropython firmware (I have no idea though).

As you've already noticed, the strongest available in uhashlib is SHA256. The thing about password hashing is more about making it time-expensive to compute the hash, which SHA256 is not (even if you apply it multiple times, etc).

If this is important to your particular application, you could investigate porting the one from https://github.com/pyca/bcrypt/ (which is based on the OpenSSL implementation) to a MicroPython module.

Post Reply