But, as mentioned by @cperciva elsewhere in this thread, generating a key and cr... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		SoftwareMaven on March 19, 2012 \| parent \| context \| favorite \| on: Don't use bcrypt But, as mentioned by @cperciva elsewhere in this thread, generating a key and creating a password hash are nearly synonymous. Using HKDF for passwords would be silly, but the more interesting question is: when would you use scrypt for key derivation in a system? More to the point: what are the tradeoffs you'd consider in choosing one over the other? (Addressed more to @cperciva...) I'm assuming tarsnap uses scrypt as its actual key derivation function for file encryption and authentication. Why scrypt instead of something else (and I have faith that it's not "not invented here" syndrome)?

tptacek on March 19, 2012 [–]

I'm quoting the actual paper.

SoftwareMaven on March 19, 2012 | [–]

I am aware. I did read it before I posted it.

tptacek on March 19, 2012 | | [–]

So you think maybe Hugo Krawczyk is mistaken? :)

Short answer: I think scrypt is an advancement over the class of constructions HKDF belongs to. If you're picking nits about which function to use, use scrypt.

Consider applying for YC's Summer 2026 batch! Applications are open till May 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact