This is a blog post responding to another blog post. The first one recommended using HMAC in a place where it is totally appropriate to use HMAC. The response seems to miss that point.<p>To store passwords in a database the 'proper hash' to use is openbsd's bcrypt. <a href="http://www.openbsd.org/papers/bcrypt-paper.ps" rel="nofollow">http://www.openbsd.org/papers/bcrypt-paper.ps</a>
Question:
All of these discussions are based on the hacker having access to your database. If you really don't trust your hosting company not to leak your database details, why do you trust them not to overwrite your administrative password with an appropriately salted bcrypt/whatever hash?
So, if you have a hash, and your salt gets compromised, is there a way to re-salt without losing all old passwords? I'm thinking specifically of frameworks like rails where you can have hashes applied auto-magically.
The author admits to having little math ability and makes cryptographic recommendations anyway? Cryptography <i>is</i> math. If you don't know math, you don't know cryptography.
I usually hash passwords like this:<p><pre><code> $hash = sha1('foo' . $username . $password);
</code></pre>
Can someone explain to me why or when this isn't good enough?