david wong

Hey! I'm David, cofounder of zkSecurity and the author of the Real-World Cryptography book. I was previously a crypto architect at O(1) Labs (working on the Mina cryptocurrency), before that I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

How to store passwords? Hash or KDF? posted April 2014

I remember a time where people would advise to just hash the password with md5 before storing it into a database.

Then md5 became a bad choice because of the rainbow tables (precomputed tables of md5). The concept of salt helped (adding a secret value to passwords before hashing them).

But hash were never meant for encrypting passwords. As KDF. But KDF seems to be better a fit for that kind of task.

See Ty's blog post "please stop hashing passwords". He makes good points and advise using those following KDFs for the job:

  • bcrypt
  • scrypt
  • pbkdf2

Scrypt is the one used in Litecoin by the way.

Well done! You've reached the end of my post. Now you can leave a comment or read something else.

Comments

leave a comment...