How to store passwords? Hash or KDF? posted April 2014

I remember a time where people would advise to just hash the password with md5 before storing it into a database.

Then md5 became a bad choice because of the rainbow tables (precomputed tables of md5). The concept of salt helped (adding a secret value to passwords before hashing them).

But hash were never meant for encrypting passwords. As KDF. But KDF seems to be better a fit for that kind of task.

See Ty's blog post "please stop hashing passwords". He makes good points and advise using those following KDFs for the job:

bcrypt
scrypt
pbkdf2

Scrypt is the one used in Litecoin by the way.

Well done! You've reached the end of my post. Now you can leave a comment or read something else.

Here are some random popular articles:

- Developers Are Not Idiots
- What are x509 certificates? RFC? ASN.1? DER?
- QUIC Crypto and simple state machines
- Speed and Cryptography
- How to Backdoor Diffie-Hellman: quick explanation
- Common x509 certificate validation/creation pitfalls
- Let's Encrypt Overview

Here are some random recent articles:

- Some news from founding a startup (zkSecurity)
- Two And A Half Coins #8 - Consensus protocols, Bitcoin, Fastpay, and Linera with Mathieu Baudet
- Want to learn more about zkBitcoin? I've made some videos
- I talked about ZK security on the first episode of Node Guardians season 2!
- First zksecurity public report is out!
- A journey into zero-knowledge proofs
- The ZK update conflict issue in multi-user applications

How to store passwords? Hash or KDF? posted April 2014

Comments

leave a comment...

How to store passwords? Hash or KDF? posted April 2014

Comments

leave a comment...

Subscribe to the mailing list