|
|
|
|
|
|
by Arcsech
3073 days ago
|
|
|
"Rolling your own crypto" usually refers to constructing new cryptographic schemes out of either primitives or just out of wholecloth. Using well-developed hashing schemes like pbkdf2 (which the auth snippet uses) or bcrypt (another good and common option) and storing the output is not rolling your own crypto. Writing your own hash function would be rolling your own crypto. People talk about not rolling your own crypto because crypto is very, very sensitive to even very small errors, in ways that other code is not. Writing your own authentication using a well-known strong hashing scheme (which handles salting and verifying passwords in a timing attack resistant way) is much less likely to have vulnerabilities that aren't obvious. |
|
|