

How to encrypt user passwords - fosk
http://www.jasypt.org/howtoencryptuserpasswords.html

======
jmillikin
Any site which confuses encryption and hashing is useless.

Here's how to safely store and validate user passwords:

1\. Set up a separate, hardened machine. It should be running one server, the
password service. The machine should have the standard security precautions
(secure rack, secure case, encrypted storage, maybe a TPM for the storage key,
etc).

2\. The service should have RPCs to create, change, validate, and reset
passwords. Your web frontend should implement password management using the
password service. RPCs should be secured with a standard protocol such as TLS.

3\. Policies such as minimum strength or maximum attempts per minute should be
implemented in the password service.

There are commercial products which implement all of the above. They are not
cheap, but if you can afford to give every engineer a laptop, then you can
afford to keep your users passwords safe.

Even if you don't have enough for an off-the-shelf password storage machine,
then implementing the above yourself will at least be more secure than storing
the passwords in some table in your database.

