This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Security and the fly likes BCrypt vs PBKDF2 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "BCrypt vs PBKDF2" Watch "BCrypt vs PBKDF2" New topic
Author

BCrypt vs PBKDF2

David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 194
I wish to know which one is more secured with against attacks from today's fast hardwares? BCrypt or PBKDF2? thanks
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1035
    
  10

Never having done a comparison I cannot say which will be the most difficult to crack based on processing in the password domain. Assuming that the password is constrained to have at least as much entropy as a randomly generated key for the target block algorithm then it is the entropy of the derived key that an attacker is likely to attack. Of course if the password has low entropy then it will not matter which method is used to derive the key.
Pat Farrell
Rancher

Joined: Aug 11, 2007
Posts: 4646
    
    5

Richard Tookey wrote:Of course if the password has low entropy then it will not matter which method is used to derive the key.


You're right. One really needs to stop the users from using a password, as they don't have enough entropy. We have to move to phase phrases or tools like OnePass.

Even recent studies show that "password" and "asdfgh" are the most popular entries.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: BCrypt vs PBKDF2
 
Similar Threads
Spring security support for double encryption
Another Problem about Attached Files
Is MD5 hashing reversible?
how secure is my password
PBKDF2 for J2ME