[thomasptacek]

If you have to reason through or alter what you're currently doing with passwords, it's irresponsible of you to be storing passwords at all. Like it or not, your users are using the same password for your web 2.0 recipe sharing program as they are for their bank account.

Lesson: use someone else's (good) password system.

[bct]

Better yet, use OpenID and let somebody else worry about passwords.

(ok, this isn't an option for everybody yet)

[gwenhwyfaer]

Is there a list of these somewhere? Which ones would you recommend?

[thomasptacek]

If you ship on Unix, use what your operating system ships with. Failing that, use bcrypt, or PHK's MD5 scheme. If you must DIY, iterate the hash function several thousand times.

[davidw]

> Lesson: use someone else's (good) password system.

Ok, what? I use Ruby on Rails, and I want something open source. What do you recommend?

[thomasptacek]

Acts_as_authentable uses bcrypt.

[aston]

If your bank only uses a username/password combo to confirm your identity online, you need a new bank.

[thomasptacek]

If you use the same password for your web 2.0 recipe account as your bank, etc, etc, etc. We shouldn't rationalize this stuff. All I'm saying is, don't make mistakes with your password system; use someone else's (good) password scheme.