

Passwords: What a salt is, and what LinkedIn failed to do - niqolas
http://wordsonaplatform.tumblr.com/post/24595070398/passwords-what-a-salt-is-and-what-linkedin-failed-to

======
mikeryan
No. Don't use salts. Use Bcrypt.

<http://codahale.com/how-to-safely-store-a-password/>

~~~
x1
<http://bcrypt-ruby.rubyforge.org/> \- last updated 2009

<http://www.mindrot.org/projects/jBCrypt/> \- last updated 2010

<http://bcrypt.sourceforge.net/> \- updated 2002

<http://news.ycombinator.com/item?id=601408> \- bcrypt is now obsolete

[http://stackoverflow.com/questions/615704/preferred-
method-o...](http://stackoverflow.com/questions/615704/preferred-method-of-
storing-passwords-in-database) no mention of it

I'm not saying I disagree, I'm just frustrated that the MOST important thing
in the world for web developers (storing passwords) is still the MOST half-
assed process.

Where's the super-simple-recently-updated-one-line call? Use bcrypt? What
about scrypt? What about salting, md5, sha1, sha256, sha512, blowfish...

Here's what I want:

String value = MrCrypto.encrypt("Pa33W0rd",MrCrypto.SECURE); //or String value
= MrCrypto.encrypt("Pa33W0rd",MrCrypto.FAST);

boolean matches = MrCrypto.matches("Pa33W0rd", value);

Something like that, updated whenever a better process comes up, seamless,
backwards compatible and universally accepted (Something ported to php, ruby,
grails, nodejs, java, c#, python etc...). Does that exist?

------
bornhuetter
I thought salting passwords had been crypto 101 since at least the 90s. Does
anyone here know how often are big companies are still using unsalted
passwords?

