[messaging] PBKDF2 vs bcrypt vs scrypt ... when dealing with browsers

[Tao Effect]

Question for the crypto-gurus out there (skip to TLDR if you want).

What is the best practice (for today) when dealing with passwords over websites, given the following context and assumptions:

Context:

- Hashed/encrypted passwords stored in server database
- User enters password in form and sends to server over HTTPS
- KDF algorithm shouldn't run for more than 2 seconds on any modern mobile device

Assumptions:

- It is better to send the encrypted password over the wire than the password itself

Known knowns:

- Server can run all three KDFs natively.
- Clients (web browsers) can only run PBKDF2 natively for browsers that support that part of the WebCrypto spec

TLDR:

That last part is the crux of the question: since only PBKDF2 (might) be supported natively, and scrypt/bcrypt are forced to run in JS, does that imply that in the case of login forms PBKDF2 is actually /more secure/ than scrypt/bcrypt given our 2 second runtime constraint?

How do I even begin to test/validate this question?

Many thanks!

Greg Slepak

--
Please do not email me anything that you are not comfortable also sharing with the NSA.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141219/df2f21e6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20141219/df2f21e6/attachment.sig>