|
|
|
|
|
|
by mckiddy
3913 days ago
|
|
|
In that case they should just leave out the examples entirely. If the code runs, someone in the world WILL copy & paste it into their project and walk away, no matter if it's marked as insecure or not, which just perpetuates the problems that the post is trying to deal with. Also I'm not sure "password hashing" is any more descriptive than "password encryption." |
|
|
I'll consider it.
> Also I'm not sure "password hashing" is any more descriptive than "password encryption."
It absolutely is. Encryption is a two-way transformation of data. It is, by design, reversible.
Hashing is one-way.
Password hashing is a special case of hashing where you want it to be computationally expensive (even with special hardware at your disposal) to attack, but still perform well enough to interact with.
Password encryption implies that a two-way transformation has taken place, and given the key, you should be able to reverse it. This is not within the scope of the requirements for secure password storage.