Page 1 of 1

Good hashing for passwords

Posted: Thu Apr 25, 2019 10:10 pm
by iBobik
As an web devoleper I just know that we should use something like Bcrypt or Argon to keep passwords safe.

Are there some hashing algorithms good enough for passwords available on ESP8266?
Are there some tricks how to increase difficulty to the comparable level with just using SHA256?

Re: Good hashing for passwords

Posted: Sat Apr 27, 2019 12:11 pm
by jimmo
Many of these ciphers need quite a lot of ROM, e.g. (e.g. Blowfish used by Bcrypt) needs a few kilobytes of digits of pi for the p-array and s-boxes. This might make them unlikely to ever appear by default in micropython firmware (I have no idea though).

As you've already noticed, the strongest available in uhashlib is SHA256. The thing about password hashing is more about making it time-expensive to compute the hash, which SHA256 is not (even if you apply it multiple times, etc).

If this is important to your particular application, you could investigate porting the one from https://github.com/pyca/bcrypt/ (which is based on the OpenSSL implementation) to a MicroPython module.