Scott Arciszewski
2016-05-22 21:17:28 UTC
Hi all,
I frequently find myself telling people, "Don't encrypt passwords, hash
them," but then I have to continue on explaining that you can't just use
ANY old cryptographic hash function, you need to use one of these special
password hashing functions instead.
A lot of clarity and simplicity can be gleaned from choosing a distinct
verb to go along with each major class of cryptographic algorithm, even if
it's an informal vernacular.
This is what I've come up with so far:
* Symmetric-key cryptography
* Symmetric-key encryption
* encrypt
* decrypt
* Symmetric-key authentication
* auth
* validate
* Asymmetric-key cryptography
* Asymmetric-key encryption (wherein you encrypt with
$publicKey but can only decrypt with $secretKey)
* seal
* open
* Asymmetric-key authentication
* sign
* verify
* Key agreement
* exchange / agree / negotiate
(not sure which is easiest yet)
* Other cryptography
* Cryptographic hash functions
* hash
* Password hash functions
* ?????
I'm not the first to propose the naming issue, but my argument is a bit
different: I'm fine with "password hash" as a compound noun. I'd just like
to get some feedback on a verb, for telling developers with little security
background:
Don't encrypt passwords. Don't hash passwords. Instead, ______
passwords.
Some ideas that have come up in discussing this on Twitter:
* PASH (previously suggested by dchest)
* phash (my original suggestion; pronounced "fash"; short for password
hash)
* pulverize
* blend
* puree
* blitz
* nuke and pave (not sure if this one was tongue-in-cheek)
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>
I frequently find myself telling people, "Don't encrypt passwords, hash
them," but then I have to continue on explaining that you can't just use
ANY old cryptographic hash function, you need to use one of these special
password hashing functions instead.
A lot of clarity and simplicity can be gleaned from choosing a distinct
verb to go along with each major class of cryptographic algorithm, even if
it's an informal vernacular.
This is what I've come up with so far:
* Symmetric-key cryptography
* Symmetric-key encryption
* encrypt
* decrypt
* Symmetric-key authentication
* auth
* validate
* Asymmetric-key cryptography
* Asymmetric-key encryption (wherein you encrypt with
$publicKey but can only decrypt with $secretKey)
* seal
* open
* Asymmetric-key authentication
* sign
* verify
* Key agreement
* exchange / agree / negotiate
(not sure which is easiest yet)
* Other cryptography
* Cryptographic hash functions
* hash
* Password hash functions
* ?????
I'm not the first to propose the naming issue, but my argument is a bit
different: I'm fine with "password hash" as a compound noun. I'd just like
to get some feedback on a verb, for telling developers with little security
background:
Don't encrypt passwords. Don't hash passwords. Instead, ______
passwords.
Some ideas that have come up in discussing this on Twitter:
* PASH (previously suggested by dchest)
* phash (my original suggestion; pronounced "fash"; short for password
hash)
* pulverize
* blend
* puree
* blitz
* nuke and pave (not sure if this one was tongue-in-cheek)
Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>