Saving PBKDF2 Settings Near Password

Question

Saving PBKDF2 Settings Near Password

I am experimenting with PBKDF2 for my passwords right now, and it has become clear to me that if I ever upgrade to a faster machine in the future, I would like to increase the number of iterations of PBKDF2. However, this will invalidate all current passwords that I saved. One of my ideas was to save the PBKDF2 settings along with a password (similar to how you store the salt), like a PRF iteration counter (SHA-256, SHA-512) while creating a hash. That sounds like a good idea in terms of backward compatibility, but I wanted to know if there were any flaws for this. Any understanding of this would be appreciated.

+4

passwords cryptography password-protection sha2 pbkdf2

Huy t Aug 20 '14 at 2:02

source share

1 answer

jariq · Accepted Answer · 2014-08-20T06:07:39+0000

You are definitely taking the right direction here. Many systems only store salt, but where are the other parameters needed to run PBKDF2? Programmed! And hard coding options for cryptographic functions are almost never a good idea.

The only drawback that I see is that when you save all the parameters, your database will probably take a little more space, but your future updates will be much simpler and more understandable.

BTW RFC 2898 PBKDF2-params, PBKDF2. , , , - .

Saving PBKDF2 Settings Near Password

More articles: