|
|
|
|
|
|
by tptacek
5641 days ago
|
|
|
Best practices for secure password storage really --- and I'm not being hyperbolic --- haven't changed much since the '90s. Poul Henning-Kamp wrote the FreeBSD MD5-based password hash and captured the main problem with secure password storage on his first try. The requirement here is not really evolving. The reason people (mostly me, admittedly) raise such a stink about this is that using SHA1 or MD5 directly to create password hashes is SO. BAD.; it's actually worse than the original DES crypt(3) function. Web apps created a new instance of the original vulnerability, of people creating terrible new password hashes all the time that are vulnerable to problems addressed in the 1970s. I can see why, given that stink, you might think it's hard to store passwords. bcrypt is new-ish (it's roughly a decade old), but you don't have to use bcrypt; it's just the best recommendation you can give someone starting from scratch on this problem. |
|
|