

Gaming site Destructoid hacked, passwords stolen because they weren't hashed. - ROFISH
http://www.destructoid.com/important-we-changed-all-of-your-dtoid-passwords-possible-hacker-activity-118504.phtml

======
ROFISH
According to various comments I've seen on blogs, Reddit, etc., Destructoid
didn’t even hash their passwords.

I was kinda worried because I run a lower-key gaming site
(<http://forum.fangamer.com> ), but I salt and seed my passwords and use a
lesser-known 1024-bit hash function opposed to popular ones like MD5 and
SHA-1.

~~~
jgrahamc
Everything sounded great until you said "a lesser known" hash function. Use
one that's well known enough to have been extensively attacked by the crypto
community.

~~~
ROFISH
It's Whirlpool (<http://en.wikipedia.org/wiki/Whirlpool_(cryptography)> )
which has common libraries in PHP & Ruby and accepted in a couple of
international standards. I think it's better to replace "lesser known" with
"uncommonly used".

(Also I messed up and it's a 512-bit hash, not 1024 like I said above.)

