Not mentioned in the article, is why salting is important even if rainbow tables aren't part of your threat model:<p>There is more than one reason, but they all boil down to one fact; two accounts with the same password will hash to the same value if you do not have a salt.<p>As an example, if an attacker gets a dump of all the hashed passwords, the weak passwords will be immediately apparent just from an analysis of duplicates.
People need to read this article very carefully before forming any sort of take-aways.<p>The title and the start of the article suggest that salts are irrelevant. Then only a few paragraphs later, the author states that salts are indeed crucial.<p>Later in the article, we learn that this article isn't really about salts at all, but the importance of a high work factor / rounds.<p>The problem with the way this article is presented is that a casual reader will be left with the idea that salts are no longer important, which is false.<p>A better title would be something like, "Salts are important, but so is a high work factor"
Salt is a requirement but not a panacea. AshleyMadison's salted MD5 proves that well enough. The point of a salt is so that same password does not result in the same hash for two different users. The key point is that attack time scales linearly with user count, which makes a difference in the actual crack rate <i>when the breach is large</i>.<p>When cracking passwords, to crack the most hashes, your inner loop is iterating the <i>salts</i> from the database while the outer loop moves down the dictionary. Crucially, that means the salt should always be the first bits fed to your hashing function, or else the cracker can optimize away some hashing cycles across users. HMAC will do the right thing here if salt is passed as the 'key' (although the way it expands the key to the block size is somewhat flawed). Feeding the salt to the hashing function first approximately halves the crack rate versus appending salt at the end, by preventing any reuse of hash function state in the inner loop. [1]<p>[1] - <a href="http://article.gmane.org/gmane.comp.security.phc/2325/" rel="nofollow">http://article.gmane.org/gmane.comp.security.phc/2325/</a>
Serious question: Why isn't there a "best practice" for this? A library everybody uses to store passwords in the most secure way possible, and when more secure ways are found, the library is updated and not your code?<p>Everything is so low level, manual and error prone for such a basic part of app security.
Interesting side note: one of the most successful altcoins (a few years ago, back when people cared about this stuff) was called litecoin. The major difference is that it used scrypt instead of SHA because it was hard to parallelize. The idea was this would keep rich groups from taking over the network by throwing money at hashing clusters.<p>I built a machine in a milk crate that had 5xR9s to mine it. I broke even and sold it after I got bored :) It was fun for a month or two.
Is anyone here using Scrypt in production?<p>I had do decide on a hashing scheme recently and ended up going with Bcrypt just because of how new Scrypt is.
I never understand why PBKDF2 gets so little love. It's easy to use, it's easy to implement correctly, it's standardised. scrypt is cooler, but PBKDF2 is just fine.
Reading this title I was wondering what news they have over PBKDF2/Scrypt/Bcrypt and whether it would really be better. Read through it quickly and was disappointed. Unlike they claim, this advice was popular even in 2010: <a href="https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords" rel="nofollow">https://security.stackexchange.com/questions/211/how-to-secu...</a>
"The multiple salts don’t really do much since they’re all likely known to an attacker or can be quickly calculated given knowledge of the other two component"<p>I've never heard before that you can calculate the sitewide salt (i.e. in memory abd unknown to attacker) from having both the user password and the per-user salt.
How is this done?
These days, what is wrong with rolling your own encryption of passwords using key strengthening and salting?<p>Like this:<p>hash = sha1 applied recursively 4071 times ( password . salt ) . salt<p>Serious question. Don't just say religiously, "just use bcrypt". Tell me what is really wrong. What attacks will succeed today? Any crypto enthusiasts in the audience?
Aren't some new password hashing schemes coming out now?<p><a href="https://password-hashing.net/" rel="nofollow">https://password-hashing.net/</a>