Hacker News new | comments | show | ask | jobs | submit login

"And even when they are salted and hashed it's worth asking (or wondering) whether they used a scheme that could beat Carla's computer equivalent by hashing multiple times."

Using such a scheme is generally called using a "key derivation function". Commonly known ones are PBKDF2, bcrypt and scrypt.

What worries me is that most competent people in the industry still ask whether passwords were salted and hashed, rather than whether they used a key derivation function.

This suggests to me that even generally competent developers are not aware that salting and hashing on its own is considered weak. PBKDF2 is over a decade old now!

If you want to educate people, please finish by suggesting that developers should not be rolling their own, but instead using a key derivation function that wraps the knowledge of the state of the art so that developers don't have to worry about the details any more.

"Be on the look out when a password database is reported to stolen to see if the press reports that the passwords were 'salted' and 'hashed'..."

Instead, I would be on the look out to make a note of which key derivation function they were using. If they weren't using one, they were doing it wrong.




What worries me is that most competent people in the industry still ask whether passwords were salted and hashed, rather than whether they used a key derivation function.

Maybe because even that weak protection is still rare. It is the equivalent of "Did you plug it" in tech support.


Sure. I'm certain that there are competent developers who are aware of KDFs but still ask for salting for the reason you described.

The problem I perceive is that other developers learn from this question. They falsely learn that salting is the best practice answer, when it is not.


Excellent suggestion. Will add.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: