A
agent_008_nl
Guest
A couple of years ago I got some recommendations from Julio Vassallo on the peg. Allas, I never worked it out because the need for expired. Julio Vassallo 2/14/13 to peg Do not hash passwords with SHA. It wasn't meant for that. It's not a *cryptographic* hashing algorithm. If you care about your users' security you should use bcrypt: http://bcrypt.codeplex.com/ A salt is just something that gets added to the plaintext before you call the hash function. E.g. instead of hash(password), you can salt with the username by doing hash(username + password). In practice, salts are usually some secret token that only you know about, generated per-user (e.g. a UUID that gets stored as a column in the User table). The main point of them is to break rainbow tables so pretty much anything works for a salt. to Julio, peg Thanks Julio. Still thinking about this. FYI: www.unlimitednovelty.com/.../dont-use-bcrypt.html Julio Vassallo 2/20/13 to me, peg Yeah, I saw that on HN when it was posted: news.ycombinator.com/item (some great comments there, including from Moxie Marlinspike and Thomas Ptacek) You can use scrypt if you want, and it's theoretically stronger, but it hasn't been out for as long as bcrypt and implementations are not as widely available. PBKDF2 is worse than bcrypt.
Continue reading...
Continue reading...