If you can run that same thing 5 passes... do it!
Aren't you reducing your key space then? Making it less secure.
Topic: Public Safety Announcement: On the subject of password security - page 4. (Read 5899 times)
Aren't you reducing your key space then? Making it less secure.
Please, service providers... Use the best possible solution available!
If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!
Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)
Thanks for listening, do shout at me if you think this is stupid advice!
If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!
Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)
Thanks for listening, do shout at me if you think this is stupid advice!
Of course users should:
1) Have a 15+ character password.
2) Have that password contain a minimum of 2 digits, 2 upper, 2 lower, 2 symbols, none repeating
3) Have that password be unique to that site
Then you have very little to worry about, unless of course it is stored in clear text.
If only people didn't get annoyed when you try to enforce restrictions.
Please, service providers... Use the best possible solution available!
If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!
Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)
Thanks for listening, do shout at me if you think this is stupid advice!
If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!
Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)
Thanks for listening, do shout at me if you think this is stupid advice!
Of course users should:
1) Have a 15+ character password.
2) Have that password contain a minimum of 2 digits, 2 upper, 2 lower, 2 symbols, none repeating
3) Have that password be unique to that site
Then you have very little to worry about, unless of course it is stored in clear text.
Dual salts would also be good, where one of the salts set in source code. If only the database is compromised, the passwords are safe.
Please, service providers... Use the best possible solution available!
If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!
Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)
Thanks for listening, do shout at me if you think this is stupid advice!
If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!
Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)
Thanks for listening, do shout at me if you think this is stupid advice!
Jump to: