On Wed, Jan 27, 2010 at 06:33:12AM -0800, Jan Lehnardt wrote: > I'm not a crypto expert, but it seems we can get away with sha1 if we use > HMAC instead of just hashing + salting:
Errm, do you mean HMAC with a fixed server-side secret? This means that if you replicate user records between servers, you must have the same secret on both boxes. This could be either a problem or a benefit, depending on how you look at it. But once your system has registered its first user, it will be impossible to change to a different secret; in 10 years' time you'll have to be using the same one. Over time, the chances increase that the secret will leak somehow (admin staff members leaving, for instance), at which point you are no better off than a regular hash. If you mean "use HMAC to mix in the salt", then that's an unnecessary application of a HMAC. The salt isn't secret, it's public. Regards, Brian.
