
How MembershipReboot stores passwords (2014) - sakopov
http://brockallen.com/2014/02/09/how-membershipreboot-stores-passwords-properly/
======
StavrosK
This isn't that innovative, it's exactly what Django does by default.

By the way, this:

> And finally, MembershipReboot allows an application to require the user
> change their password periodically. This way user’s password can get updated
> with the current iteration count.

is pretty horrible. Don't force the user to change their password. If you need
to upgrade the iterations, just do it seamlessly the next time they
authenticate.

------
t0mas88
I stopped reading here:

> To help determine the right iterations for your hardware I have an utility
> here.

Everyone with just the slightest idea of how hashing and password cracking
works should know that there is no such thing as "right number of iterations
for your hardware" because the attacker would obviously have different
hardware.

------
ExpiredLink
He doesn't store passwords - which would be a terrible idea.

------
melle
How is this different from bcrypt?

