Author

Topic: Quite a few people have been hacked. Do you use good password hashing protocols? (Read 131 times)

legendary
Activity: 2590
Merit: 2156
Welcome to the SaltySpitoon, how Tough are ya?
this is from a post regarding a database breach a while ago

-snip-
Passwords were hashed very strongly. Each password is hashed with 7500 rounds of sha256crypt and a 12-byte random salt (per password).
-snip-
WWP
newbie
Activity: 5
Merit: 0
Someone has been hacked: https://bitcointalksearch.org/topic/billyboy402-account-does-not-exist-1546435

I've also seem to have been hacked. So I started a new life.

According to: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Use_a_cryptographically_strong_credential-specific_salt and: https://www.keylength.com/ I'm reasonable to assume I've used a strong enough password for this time and age - on a properly configured forum.

Password strength requires two components:

- The service provider to use appropriate password hashing schemes. See the OWASP.org link.

- The user to use a password of appropriate entropy for the time and age. See the KeyLength.com link.

If your user doesn't want to be hacked on your forum, how many bits of entropy should his password consist of, according to your algorithm and the rules of math?
Jump to: