Secure Password Hashing [closed]

by

Salt your hash with secure random salt of at least 128bits or longer, to avoid a rainbow attack and use BCrypt, PBKDF2 or scrypt. PBKDF2 comes with NIST approval.

To quote: Archive.org: http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

The problem is that MD5 is fast. So are its modern competitors, like
SHA1 and SHA256. Speed is a design
goal of a modern secure hash, because
hashes are a building block of almost
every cryptosystem, and usually get
demand-executed on a per-packet or
per-message basis.

Speed is exactly what you don’t want in a password hash function.

Fast password validation functions are a problem, cause they can be attacked using brute force. With all the algorithms above you can control the “slowness”

More Related Contents:

  1. Secure hash and salt for PHP passwords
  2. Difference between Hashing a Password and Encrypting it
  3. Default SecurityProtocol in .NET 4.5
  4. HashSet vs. List performance
  5. How does SQLParameter prevent SQL Injection?
  6. Is “double hashing” a password less secure than just hashing it once?
  7. .NET obfuscation tools/strategy [closed]
  8. How to hash a password
  9. Default implementation for Object.GetHashCode()
  10. SHA512 vs. Blowfish and Bcrypt [closed]
  11. When would I need a SecureString in .NET?
  12. Override Authorize Attribute in ASP.NET MVC
  13. encrypt and decrypt md5
  14. What algorithm should I use to hash passwords into my database? [duplicate]
  15. Best Practices: Salting & peppering passwords?
  16. How to create a laravel hashed password
  17. MD5 hash with salt for keeping password in DB in C#
  18. Inheritance security rules violated while overriding member – SecurityRuleSet.Level2
  19. How to build RUNAS /NETONLY functionality into a (C#/.NET/WinForms) program?
  20. How can I avoid SQL injection attacks in my ASP.NET application?
  21. Why not use MD5 for password hashing?
  22. User Group and Role Management in .NET with Active Directory
  23. Encrypting appSettings in web.config
  24. WCF error: The caller was not authenticated by the service
  25. Can strong naming an assembly be used to verify the assembly author?
  26. Is “Code Access Security” of any real world use?
  27. Do I need a “random salt” once per password or only once per database?
  28. How to securely store a connection string in a WinForms application?
  29. Memory randomization as application security enhancement?
  30. How to hash a password with SHA-512 in Java?

Leave a Comment