undefined | Better HN

0 pointsagotterer17y ago0 comments

I prefer 1 way hashed passwords. But why assume they are doing it in plain text? Why not a two way encryption?

0 comments

True, two way hashing is better than nothing, but it's still less secure than one way hashing (with a per-user salt) for passwords. All you need if one rogue employee and they can decrypt everyone's password. It's just difficult to justify the added risk when there usually isn't a need to retrieve the original password.

Edit: by "two way hashing" I meant encryption, not hashing. not sure where my brain was on that one...

tptacek17y ago

As a practitioner in this space, I'm going to tell you that I don't know what this "two-way hashing" is that you speak of. There's a right way to store passwords and there's a wrong way. The right way is bcrypt. The wrong way is anything other than bcrypt.

thwarted17y ago

Are you making a distinction between storing for verification and storing for use? The right way to store passwords when you use them to verify authentication is to hash (twitter verifying a login). The right way to store passwords when you need to use them to gain access on behalf of a user is to encrypt them (any third party "twitter application"). I ask because the first google result for "bcrypt" is http://bcrypt.sourceforge.net/ which is distinctly not hashing, where as the second one is for a ruby library interface to bcrypt hashing.

1 more reply

j / k navigate · click thread line to collapse