Fun with Password Hashing

I’ve been spending some time looking into password hashing best practices over the last week.

I’ve know about the BCrypt algorithm for a long time as the old BSD standard ‘high effort’ hashing algorithm designed to make brute forcing hashes difficult.

I’ve found that there is a new effort called SCrypt intended to generate a modern equivalent for dedicated password hashing as well as a ‘password expansion’ algorithm that appears to be in wide used called PBKFD2.

The PBKDF2 algorithm applies an HMAC using the key input to inject the salt and then to chain iterations of the process. It takes a user selected number of iterations that allows the work-load to generate the hash to be tuned to the scope of expected attacks (and to the performance of the target hardware). This allows modern high performance algorithms such as SHA-256 to be applied in a manner that makes the total calculation of the final salted hash resource intensive enough to reduce the likelihood of a successful brute force attack.

C++ 11, 14, 17 and Later

I’m quite familiar with much of the content of C++ 2011 as it represented a welcome and long desired step up in C++ language capability.

I’m less clear on the changes that live in the 2014 and 2017 incremental updates (smaller and more tightly focused) and the upcoming work that will feed into the next release.

Getting on top of this is becoming more important as I’m back in the C++ world and while almost everything should support C++ 11, the later iterations may be missing or fragmentary.

I’m spending a little time this afternoon looking through resources on this front, starting with the C++ 2011, 2014 and 2017 pages on wikipedia.

I have pulled the draft PDF file for 2011, 2014 and 2017 and grabbed the github source for the standard(s). These are quite useful, but seriously deep waters if only the changes are of specific interest. Interesting pointers on where to buy the official docs here with the 2017 version from ANSI at just over $100.00. The current working draft appears to be on github here. I may take a shot at building that into a readable PDF at some point…

I am also rather interested to see what is in boost these days. Back in the visual studio 2010 era, the TR1 content that eventually fed into C++ 11 was one of the bigger draws…now that is part of the core tools in general so I’m expecting a new range on interesting bits. The seem to have a github repo here.

And here is the C++ 20 page. Interesting that 20 looks to be much more like 11 than 14 and 17 (which were small tweaks).

Just Ordered the newish Josuttis book on C++ 17

Ordered a copy of the new Josuttis book this morning. I’ve found his standard library and templates books to be very much worth reading and I’m hoping that C++17 – The Complete Guide will provide a useful update to Stroustrup (which is getting a bit old).

I’m back in the world of C++ and the language is undergoing a lot more change these days than it had been in the early 2000’s. Keeping up with the future trajectory of C++ is very much on my radar.