What algorithm should I use to hash passwords into my database? [duplicate]

by

This 2008 answer is now dangerously out of date. SHA (all variants) is now trivially breakable, and best practice is now (as of Jan 2013) to use a key-stretching hash (like PBKDF2) or ideally a RAM intensive one (like Bcrypt) and to add a per-user salt too.

Points 2, 3 and 4 are still worth paying attention to.

See the IT Security SE site for more.

Original 2008 answer:

  1. Use a proven algorithm. SHA-256 uses 64 characters in the database, but with an index on the column that isn’t a problem, and it is a proven hash and more reliable than MD5 and SHA-1. It’s also implemented in most languages as part of the standard security suite. However don’t feel bad if you use SHA-1.

  2. Don’t just hash the password, but put other information in it as well. You often use the hash of “username:password:salt” or similar, rather than just the password, but if you play with this then you make it even harder to run a dictionary attack.

  3. Security is a tough field, do not think you can invent your own algorithms and protocols.

  4. Don’t write logs like “[AddUser] Hash of GeorgeBush:Rep4Lyfe:ASOIJNTY is xyz”

More Related Contents:

  1. Difference between Hashing a Password and Encrypting it
  2. SHA512 vs. Blowfish and Bcrypt [closed]
  3. Fundamental difference between Hashing and Encryption algorithms
  4. Is “double hashing” a password less secure than just hashing it once?
  5. Encrypting/Hashing plain text passwords in database [closed]
  6. The necessity of hiding the salt for a hash
  7. Password hashing, salt and storage of hashed values
  8. Best Practices: Salting & peppering passwords?
  9. Why not use MD5 for password hashing?
  10. Should I impose a maximum length on passwords?
  11. Do I need a “random salt” once per password or only once per database?
  12. Secure hash and salt for PHP passwords
  13. Disable browser ‘Save Password’ functionality
  14. Salt Generation and open source software
  15. Two-way encryption: I need to store passwords that can be retrieved
  16. How can bcrypt have built-in salts?
  17. Why is security through obscurity a bad idea? [closed]
  18. Preferred Method of Storing Passwords In Database
  19. encrypt and decrypt md5
  20. What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication?
  21. How to create a laravel hashed password
  22. Differences Between Rijndael and AES
  23. md5 decoding. How they do it?
  24. How do I generate a SALT in Java for Salted-Hash?
  25. Secure Password Hashing [closed]
  26. How to decrypt a password from SQL server?
  27. MD5 security is fine? [closed]
  28. How can I hash passwords in postgresql?
  29. How to send password securely via HTTP using Javascript in absence of HTTPS?
  30. How to hash a password with SHA-512 in Java?

Leave a Comment