Pages:
Author

Topic: A public service announcement - page 3. (Read 3817 times)

sr. member
Activity: 252
Merit: 250
September 11, 2011, 07:19:24 AM
#3


Totally wrong. Basically, all of your "advice" is garbage.

Some real programmers, please chime in.
legendary
Activity: 1470
Merit: 1006
Bringing Legendary Har® to you since 1952
September 11, 2011, 06:50:29 AM
#2
Use BCrypt, Fool!

This forum stores passwords as weak hashes derived from weak salts using fast hash functions. It is amateur hour at bitcointalk.org.

Stop using MD5 or SHA. They were never designed to store passwords and protect them from offline attacks.

For example, MTGOX foolishly stores passwords as SHA512 hashes. It should use bcrypt(). It is amateur hour at MTGOX and probably most other exchanges. The notable exception is bitcoin-central, which does use bcrypt.

Salts should be generated using proper random number generators.

Again, Use BCrypt, Fool!

Actually, you don't need to use bcrypt.
You can have exactly the same effect using multiple layered hashing algorithms with specified number of rounds.
You only need to increase the number of rounds once hardware gets more powerful - it will have exactly the same effect as bcrypt.

Also, i trust multiple salted hashing algorithms more than a single algorithm (blowfish), which is used in bcrypt.
sr. member
Activity: 252
Merit: 250
September 11, 2011, 05:17:20 AM
#1
Use BCrypt, Fool!

This forum stores passwords as weak hashes derived from weak salts using fast hash functions. It is amateur hour at bitcointalk.org.

Stop using MD5 or SHA. They were never designed to store passwords and protect them from offline attacks.

For example, MTGOX foolishly stores passwords as SHA512 hashes. It should use bcrypt(). It is amateur hour at MTGOX and probably most other exchanges. The notable exception is bitcoin-central, which does use bcrypt.

Salts should be generated using proper random number generators.

Again, Use BCrypt, Fool!
Pages:
Jump to: