Subject: Re: PROPOSAL: adding capability for blowfish passwords
To: David Laight <>
From: Steven M. Bellovin <>
List: current-users
Date: 05/25/2002 18:18:07
In message <>, David Laight writes:
>> So, as I said before:  Blowfish isn't a bad way to hash passwords; it's 
>> simply not designed for that purpose.
>>From "Applied Cryptography" by Bruce Schneier, 2nd Ed page 336:
>"Blowfish is an algorithm of my own design, ... Blowfish is
>not suitable for applications such as ..., or as a one way
>hash function."

Blowfish per se isn't designed as a one-way hash, but the OpenBSD code 
uses it in a particular way for that purpose -- see the Usenix paper.

		--Steve Bellovin, (me) ("Firewalls" book)