I'm not really up to date with the most recent developments regarding hashing algorithms strengths; what is currently my best bet for storing passwords?
Also, how much more security do salting and key stretching offer me?
1
-
The answers to this question are likly to go out of date over time. What would be better is a guide to how to find out what "current best practice" is.Martin Brown– Martin Brown2012-12-06 13:13:24 +00:00Commented Dec 6, 2012 at 13:13
Add a comment
|
2 Answers
- MD5 has been broken.
- SHA-1 has significant weaknesses.
- SHA-2 is considered adequate at the moment.
- SHA-3 will shortly become a FIPS standard.
- Best practice is to combine password hashing with random salting and key stretching, e.g. PBKDF2.
- A good discussion on password salting, hashing, and stretching.
- My implementation of password salting, hashing, and stretching in C#.
As for the extra security provided by hashing, that depends on how many hash iterations you use. As an example, say that you decide to use 2^14 hash iterations. This increases the password's entropy by 14 bits. According to Moore's Law, each extra bit of entropy provided by the hash means approximately 18 extra months to crack the password in the same time as today. So it will be 21 years (14 x 18 months) before the iterated hash can be cracked in the same time as the raw password can be cracked today.
The extra security provided by salting is twofold: it prevents the effective use of a rainbow table, and it makes it more time-consuming to crack a large list of passwords (but not a single password).
2 Comments
Marcus Adams
bcrypt is the popular way to go right now.
Luke
@MarcusAdams I agree, you should either use bcrypt or some well vetted way of doing many hash iterations, like PBKDF2. There are too many ways to screw this stuff up. It's best not to just throw some cryptographic primitives together until it looks safe.
This question over at security.stackexchange is a good discussion of bcrypt vs. PBKDF2 - Do any security experts recommend bcrypt for password storage?
The key is that a hash function alone will not prevent a precomputation attack (e.g. rainbow table). And adding a salt won't protect you from a dictionary or a brute force attack. You are much better using bcrypt or PBKDF2 than building your own scheme with a hash algorithm.
