Hacker News new | comments | show | ask | jobs | submit login

HMAC authentication requires both the client and the server to have a shared secret (or more likely a derived key based on a shared secret). The secret cannot be saved as a one-way hash (as might be common for a password). So you couldn't use BCrypt or SCrypt to hash the shared (or derived) secret since the server would never be able to acquire the value to calculate the same digest.

You can still encrypt the secret, e.g. using AES 256 bit encryption with secure random Initialization Vectors and rolling keys. This too is not easily 'brute forceable', but is very fast to decrypt compared to a BCrypt comparison (key storage should also be in a separate location than the main data store).

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact