Hacker News new | ask | show | jobs
“Website Passwords Hacked” headlines can be less scary (privasectech.com)
3 points by privasectech 4587 days ago
2 comments
dxm 4587 days ago 

  The two most common methods, md5 and sha-1 are
  both susceptible to collisions, or birthday attacks.
  As of writing this, I would recommend using
  SHA-3-256 which has no known attacks.
Don't do that. Hashing algorithms without salt and iteration counts is a bad idea. Thankfully, languages and frameworks are starting to take this responsibility away from the programmer (or at least they're making it easier) – consider using has_secure_password in Rails, password_hash in PHP 5.5, etc. Don't use standard hashing algorithms.
link
privasectech 4587 days ago
Thanks! I have updated the article to include a paragraph on salting.
link
mschuster91 4587 days ago
You totally forget about hash salting - this way a hacker can't use rainbow tables or precomputed hashes for common passwords.
link
iLoch 4587 days ago
I've also seen a fair bit of misunderstanding about hashes - you do not want to apply a global salt to all your hashes. Salts should be generated on a per hash basis, and should be stored within the hash itself. Most hashing libraries will do this. It's usually much easier and safer to use a library than to roll your own.
link
mschuster91 4587 days ago
Indeed, yes, and I do this for all my projects. But even a global salt is way better than no salt at all.

That aside, doesn't Wordpress still use lots of global salts?!

link
privasectech 4587 days ago
Thanks for this! I have added a paragraph on salting if you reload the page.
link