
How to Process Passwords as a Software Developer - da02
https://dev.to/nathilia_pierce/how-to-process-passwords-as-a-software-developer-3dkh
======
flmontpetit
> Argon2 is a key derivation function, the winner of the password hashing
> competition and should be used for new projects. In case it isn't available,
> use Scrypt. Any other KDF is nonoptimal.

Probably not worth going for the marginally-better-but-new-and-fancy KDF if
you don't have a reliable implementation available for your language.

Pretty much agree with everything else otherwise

------
woliveirajr
> Enforce multi-factor authentication instead

But in a way that your user won't lose everything if his usb-gadget fails.

Also not in a way that it gets stronger than password and can be used alone to
recover a password (sms, for example)

Also not in a way that is written down in a paper and typed later.

Also not in a way that prevents your user from using your software.

