From what I'm reading, for storing passwords it is recommended to use a KDF (like Bcrypt). If it is more secure to use a KDF for handling passwords, when would you use a password hash instead?
Asked
Active
Viewed 630 times
3
-
What is a KDF ? – Glen Pierce Jul 29 '18 at 00:35
-
you should never hash passwords, that's an antiquated and vulnerable process we know now better than. – dandavis Jul 29 '18 at 17:44
-
@GlenPierce Key Derivation function. As AndrolGenhald pointed out, a hash function is a legitimate (nonetheless pretty bad) KDF, however not all KDFs are simple password hash function. – GxTruth Jul 30 '18 at 10:39
1 Answers
3
A password hash is a KDF, but not all KDFs are password hashes. Password hashes have the additional requirement that they allow configuring how slow they are, while some KDFs do not have this ability.
For instance, HKDF is a KDF designed to allow deriving keys from an existing high-entropy key. This is useful when you already have a single key (either generated randomly or from a slow KDF like bcrypt, Argon2, PBKDF2, etc), but need multiple keys.
AndrolGenhald
- 15,436
- 5
- 45
- 50