Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I agree that implying the creator of py-bcrypt was malicious is asinine (although that was apparently not his intention), but dropping 8 bits off the hash could be dangerous. When you're talking about an attack against a perfect hash function, it would mean nothing due to the large size, but in conjunction with theoretical flaws in bcrypt it could be a big deal.

All that said! Bcrypt is still secure by all means and better off than damn near anything else out there.

Edit: note, such theoretical flaws in bcrypt have not even been proposed. Didn't want to make this seem worse than it is.



The sad thing is, the finding isn't asinine. It's truly interesting (though practically irrelevant, except that it appears to have rendered the ref implementation of bcrypt incompatible with Mazieres' paper).

But instead of spending time talking about the interesting finding, this blogger clubbed their own reputation to death on it. I'd like to presume they were just spectacularly bored, but to steal some of the author's own words, that's "vastly too big a discrepancy to be explainable by a simple inadvertent bug".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: