[moonboots]

NetTuts needs to mention which key derivation function they are using so the community can verify they didn't fuck up again.

I would also recommend that they use this opporunity to teach their web developing users about proper password storage, but after reading their php hashing tutorial[1], I think it's best if their users look elsewhere. The tutorial eventually recommends bcrypt after listing multiple unsafe solutions. I understand that the author is trying to build up to the solution, but the correct solution needs to be in the first paragraph. The incorrect solutions need to be clearly flagged so a beginner skimming through doesn't see "md5" and stop.

[1] http://net.tutsplus.com/tutorials/php/understanding-hash-fun...

[16s]

There's no real way to 'verify' this. They would have to provide the source code in its entirety and several card-carrying, certified cryptanalysts/cryptographers would have to vet it and then publicly approve of it. That will never happen.

Users have to have some level of trust. Like everything else in life.

[huxley]

If they use a well-maintained standard library which uses a modern cryptographic hashing function, then I think they earn that trust.

There is no real disadvantage to saying which one and a lot of trust to regain.

[moonboots]

Absolute verification is impossible, but this doesn't mean more verification isn't helpful. NetTuts should publicly says what key derivation function they are using. Could they be lying? Maybe. Could they have other security vulnerabilities? Probably. Would I trust NetTuts with my credit card number? No.