undefined | Better HN

0 pointstptacek1y ago0 comments

I have a really hard time taking the attack research on password KDFs all that seriously. I don't think there are many common threat models where "weaknesses" in password hashes are more than marginal issues.

Not using a real password KDF is a big issue. Using the wrong one, not so much.

0 comments

1 comments · 1 top-level

FreakLegion1y ago

I don't disagree at all. My comment is about paperwork and selling to the government ("operating in the FIPS world", as the post has it, where NIST enters the conversation). I'm sure you can get away with tacking PBKDF2 onto Argon2 here, but those are hoops you don't need to jump through.

j / k navigate · click thread line to collapse