undefined | Better HN

0 pointsrdl15y ago0 comments

Absolutely. That's essentially PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2).

You usually add a salt (an additional string which is stored in the clear, but which makes your local instance globally unique, so the attacker can't precompute value to hash mappings ("Rainbow Tables" [which are faster to make if you have alien technology, from what I've heard]) for all sites.

I'd still suggest using bcrypt or scrypt.

0 comments

2 comments · 1 top-level

JonnieCache15y ago· 1 in thread

Bcrypt typically generates and stores the salt with the rest of the hash, all on its own, which reduces the chance for developer error. It's idiot-proof basically.

rdlOP15y ago

Of course, the other key thing is to avoid giving attackers offline access to the hash database if possible. Even with scrypt, if you let someone try offline, he will get good results on 100 password attempts per account. Users are often using such weak passwords that being only an online oracle and able to shut down after a number of tries on a password, or at least to do app level rate limiting, is still useful.

j / k navigate · click thread line to collapse