0

I am creating an online web application with a heavy focus on security and want to know what you guys think about this.

Basically, I began hashing my passwords using the Blowfish algorithm after studying about it online as it seemed perfect for what I was trying to achieve. After reading a little bit more on it however, I started finding more and more mixed reviews. Some people highly recommended it, even more so than SHA-512, while others stated that because it is an older algorithm (created in the '80s or '90s I believe) I should use something else, such as either SHA-256 or SHA-512 with a strong salt.

This leaves me a bit confused if Blowfish is alright to use for a modern application or not.

Thanks!

hRdCoder
  • 579
  • 7
  • 30
  • possible duplicate of [Secure hash and salt for PHP passwords](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) – John Conde Apr 02 '14 at 18:47
  • Thanks for your comment, but I think in that link he isn't looking for specifically the same thing I am looking for. – hRdCoder Apr 02 '14 at 18:52
  • What's the difference between your question and his question? – Uli Köhler Apr 02 '14 at 19:13
  • In his question he wants to know if he should use MD5 or SHA and how to pick a good salt, among other questions. I'm specifically curious about the Blowfish algorithm and if it's a strong contender for modern applications. – hRdCoder Apr 02 '14 at 19:17
  • 2
    Blowfish is a cipher, i. .e, an encryption/decryption suite. Maybe you meant BCrypt, which uses a Blowfish variant. – Gumbo Apr 02 '14 at 19:41
  • BCrypt doesn't use Blowfish? I was under the assumption that it was. – hRdCoder Apr 02 '14 at 19:44
  • @hRdCoder It uses major parts of Blowfish. – Gumbo Apr 02 '14 at 19:45
  • @Gumbo, so if I understand correctly, Blowfish is an encryption/decryption suite as you stated while BCrypt is a PHP hashing algorithm that uses, or attempts to emulate Blowfish? – hRdCoder Apr 02 '14 at 19:51
  • @hRdCoder [Blowfish](http://en.wikipedia.org/wiki/Blowfish_\(cipher\)) is a cipher. [bcrypt](http://en.wikipedia.org/wiki/Bcrypt) is a key derivation function that is based in Blowfish. Just read both Wikipedia articles. – Gumbo Apr 02 '14 at 19:53
  • Thanks for your comments, @Gumbo. I'll go ahead and upvote you as you distinguished something for me. – hRdCoder Apr 02 '14 at 19:56
  • 1
    Please see the [PHP.net Password Hashing FAQ](https://www.php.net/manual/en/faq.passwords.php) and [How to securely hash passwords](http://security.stackexchange.com/q/211/39623), which boil down to: Use password_hash() and password_verify() with as high a $cost as you can afford during peak times. This is a BCrypt implementation, built into PHP 5.5 or up, and available with a compatibility library in 5.3.7 and up. – Anti-weakpasswords Apr 03 '14 at 05:47
  • Read Anti-weakpassword's comment about the password api. Here some points to think about: 1) BCrypt was designed to work poor with GPU's, that reduces the advantage for cracking with graphic cards. 2) Old proven algorithms are usually prefered over new ones, though both (BCrypt and SHA*) are probed. 3) SHA* algorithms are not appropriate to hash passwords because they are too fast, only in combination with a PBKDF2 (with a cost factor) they can be recommended. – martinstoeckli Apr 03 '14 at 08:03

1 Answers1

0

Blowfish is the most secure because, since now, it hasn't been found a way to hack it.

  • Thanks for your comment, Angelo. I read this same thing in a few places on the interwebs but considering how old it is has left me questioning its implementation. – hRdCoder Apr 02 '14 at 18:55
  • You're welcome! I've used blowfish to encrypt some data on a site I used to own, it has always worked perfectly –  Apr 02 '14 at 18:57
  • 1
    That's cool. What caught my eye about it is how easy it is to implement and how you can actually adjust the cost according to the browser delay when you're hashing something. – hRdCoder Apr 02 '14 at 19:03
  • And this “hasn’t been found a way to hack” does not apply to SHA-256 or SHA-512 or what? – Gumbo Apr 02 '14 at 19:44
  • @Gumbo, to my current understanding it does not apply. Both SHA-256 and 512 are both hackable through Rainbow Tables but are still both very secure as long as they are given a strong salt that is guaranteed to be unique. – hRdCoder Apr 02 '14 at 20:00
  • You can use Rainbow Tables for bcrypt hashes as well, although you would require a different Rainbow Table for each salt. – Gumbo Apr 02 '14 at 20:03
  • I appreciate your input, Gumbo. I guess if there is even a question if a hashing algorithm is crackable or has been cracked before it should be good enough for me to use. – hRdCoder Apr 02 '14 at 20:07
  • @hRdCoder My point is that from your question, how bcrypt (I assume you mean bcrypt and not Blowfish, see comments to the question above) relates to salted SHA-256/SHA-512 regarding security, this answer implies that only for bcrypt there “hasn't been found a way to hack it”, let alone what “hack it” means here. This answer simply lacks information and explanation. – Gumbo Apr 02 '14 at 20:23