In other words, this should be updated. I think it's not the biggest deal to get it in, or is it guys ?
I changed my password backend now to SHA, but I would like to have something better and not change my code every time when things are updated in software for passwords. > At Mon, 13 Feb 2012 15:25:36 +0100, > Matt wrote: >> Is there already been thought by updating the sha1 to sha256 or >> something ? >> >> SHA1 is kinda old in my opinion and security on passwords is all! > > MD/SHA are not designed for storing passwords and are actually pretty > bad at it. The purpose of those functions is to generate a unique > digest of large data in a fast way. But you don't want fast for your > passwords, because how faster the algorithm how faster you can brute > force the password. > > Algorithms like bcrypt are actually designed for storing > passwords. It's a few orders of magnitude slower (you can actually > specify how slow you want it to be), which makes brute forcing pretty > much impossible even for not so random passwords. It goes a bit too > far to explain all the details here, but if you google for it or look > at wikipedia you should find enough information about it. > > Kind regards, > > Jeroen Dekkers > -- > [email protected] > https://inverse.ca/sogo/lists > -- Regards, Matt -- [email protected] https://inverse.ca/sogo/lists
