'What's the recommended hashing algorithm to use for stored passwords?
Given the known weaknesses of MD5 and the recent (May 2009) weaknesses discussed in SHA1, how should new programs be salting & hashing their passwords?
I've seen SHA-256 and SHA-512 suggested.
Programming predominately in Ruby on Rails and using PostgreSQL -- but other languages and environments might also have to calculate password hashes.
Solution 1:[1]
Use a slow function like bcrypt. Here is a post from the Phusion guys.
Solution 2:[2]
You should use a password-based key derivation function as the uid/pwd result; the most werll known is PBKDF2 http://en.wikipedia.org/wiki/PBKDF2 also defined as RFC 2898 https://www.rfc-editor.org/rfc/rfc2898. PKBDF2 takes your secret data as well as a salt and an iteration count. This is the standard way of solving your problem.
If you program in .NET, use Rfc2898DeriveBytes https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rfc2898derivebytes
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Patrick |
| Solution 2 | aepot |