

Bcrypt is Not the Answer - jcromartie
http://jcromartie.tumblr.com/post/24677917522/bcrypt-is-not-the-answer

======
michaelw
I don't think this is correct. With bcrypt you can adjust the work factor to
keep up with the ramifications of Moore's law.

See [http://stackoverflow.com/questions/4443476/optimal-bcrypt-
wo...](http://stackoverflow.com/questions/4443476/optimal-bcrypt-work-factor)

~~~
jcromartie
You have to adjust the work factor to keep up with the computing power _of
your potential attackers_. The number and total power of computers connected
to the Internet available to do work for crackers will increase faster than
the power available to your web server for authentication.

And it also depends on people actually making the adjustment (and creating the
infrastructure to support those changes over time). We already have big
organizations failing to keep up in so many ways. Why would we expect them to
continue fine-tuning their bcrypt parameters?

As I said, bcrypt is an arms race.

