2015-10-29 17:56 GMT+01:00 Klaus Hartnegg <hartn...@gmx.de>: > Am 27.10.2015 um 18:55 schrieb David W Noon: > >> <https://en.wikipedia.org/wiki/Secure_Hash_Algorithm> >> > > <https://tools.ietf.org/html/rfc6234> >> > > Do not use a normal hash function to store passwords. If the password file > is stolen, the attackers can quickly determine most passwords. > > There are special algorithms to securely store passwords. Common > recommendations are: PBKDF2, bcrypt, scrypt. > > Explanation from > https://en.wikipedia.org/wiki/Password_cracking#Prevention > > "Many hashes used for storing passwords, such as MD5 and the SHA family, > are designed for fast computation and efficient implementation in hardware. > As a result, they are ineffective in preventing password cracking, > especially with methods like rainbow tables. Using key stretching > Algorithms, such as PBKDF2, to form password hashes can significantly > reduce the rate at which passwords can be tested." > > See also: > https://en.wikipedia.org/wiki/Key_derivation_function > > scrypt for pascal appears to be offered here: > http://www.wolfgang-ehrhardt.de/crchash_en.html >
Good point. I'd even ask the question: do you really need to store the passwords? IOW, do you want to be able to send them back to the user? Or do you only need to check them? -- Frederic Da Vitoria (davitof) Membre de l'April - « promouvoir et défendre le logiciel libre » - http://www.april.org
_______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
