Gentoo Archives: gentoo-dev

From: Joshua Kinard <kumba@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Switching default password hashes from sha512 to yescrypt
Date: Mon, 25 Jul 2022 22:10:32
In Reply to: Re: [gentoo-dev] Switching default password hashes from sha512 to yescrypt by John Helmert III
1 On 7/25/2022 16:29, John Helmert III wrote:
2 > On Mon, Jul 25, 2022 at 03:59:59PM -0400, Joshua Kinard wrote:
3 >> On 7/25/2022 15:30, Joshua Kinard wrote:
4 >> [snip]
5 >>
6 >>>
7 >>> Some really quick looking around, I'm not finding any substantive
8 >>> discussions on why yescrypt is better than argon2. It so far seems that it
9 >>> just got implemented in libxcrypt sooner than argon2 did, so that's why
10 >>> there is this sudden push for it.
11 >>>
12 >>> E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend
13 >>> yescrypt instead. Anyway, it has to be implemented in libcrypt.", but
14 >>> provides no justification for why they recommend yescrypt. Since we're
15 >>> dealing with a fairly important function for system security, I kinda want
16 >>> something with much more context that presents pros and cons for this
17 >>> algorithm over others, especially argon2.
18 >>
19 >> So there is this question and three answers on Crypto StackExchange. It is
20 >> about five years-old, but it's got more detail on why argon2 won the PHC
21 >> instead of one of the other contenders. It is still subjective information,
22 >> but more thorough:
23 >>
24 >>
25 >> There's some more info if one continues to deep-dive on CSE, but I am
26 >> noticing a lot of the info is several years old. Some more recent things
27 >> make references to a newer algo called Balloon, but that seems to be going
28 >> off into side-tangents.
29 >>
30 >> Anyways, I guess I am just being paranoid. If a change to hashing algos is
31 >> made, it should be based on facts and not popularity contests or feelings.
32 >
33 > I'm not sure it's fair to suggest this change is based on "popularity
34 > contests or feelings". The facts were given in the original mail, just
35 > because one finds them unconvincing doesn't mean those facts aren't
36 > real and convincing to others.
37 >
39 My wording could sometimes be done better, but that's my takeaway in a
40 nutshell. Facts, presented objectively and well, should convince just about
41 anyone. But the Fedora page just doesn't do that for me. It really only
42 presents positives and no negatives of yescrypt. Are there any? I don't
43 know. I assume there have to be, but I'm not a crypto-expert.
45 I've only done a light, cursory search on Google for something basic like
46 "argon2 vs yescrypt", and that gets a few interesting results. A few links
47 to github, one to the PHC website, another to the the now-dead openwall ML
48 posts, and Debian's bug for switching pam_linux over to using yescrypt. The
49 most recent discussion-wise result are the comments on a Hacker News article
50 that is 11 months old[1].
52 1.
54 --
55 Joshua Kinard
56 Gentoo/MIPS
57 kumba@g.o
58 rsa6144/5C63F4E3F5C6C943 2015-04-27
59 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943
61 "The past tempts us, the present confuses us, the future frightens us. And
62 our lives slip away, moment by moment, lost in that vast, terrible in-between."
64 --Emperor Turhan, Centauri Republic