-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Only problem with that is the workfactor. Not much different from using sha512 with a customized looping/b64 strategy, it's still fast (which is bad for password hashes). With bcrypt you can adjust the workfactor and actually make cracking passwords a very slow and expensive operation.
Renting out EC2 to rainbowtable and brute force hashes done with a fast algorithm is easy and cheap. Cracking against something like bcrypt with a workfactor of 15 becomes /extremely/ expensive and therefore prohibitive. http://codahale.com/how-to-safely-store-a-password/ Daniel Holth <[email protected]> writes: > n.b. Gawker Media. Strong password hashes protect your reputation and > your user's accounts on other services when your password database is > compromised. Even if you don't care they are so trivial to implement, > why not use them? > > If you are running on a modern Linux distribution all you have to do to > get a good password hash is call os.crypt('password', '$6$' + > base64.b64encode(os.urandom(12), altchars='./')). $6$ (supported > prefixes vary by Unix, see 'man crypt') tells the builtin crypt > implementation that it should use a scheme based on many iterations of > SHA512, salted with 12 bytes of random data, to produce a password hash > such as: > > $6$P7GbB7H2yUevixa.$H8PrVPW.r5zUGykDUW1fK/ > PTX6QsqvUbYifvFqiPsaFPffCq94KOGLh7rqHTjjOGF0JFgUgHgcbSlI4W9.NbV0 > > To check the password, assert that os.crypt('password', stored_hash) == > stored_hash > > -- > You received this message because you are subscribed to the Google > Groups "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at http://groups.google.com/group/ > pylons-discuss?hl=en. > - -- Parnell "ixmatus" Springmeyer (http://ixmat.us) -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJNtcjKAAoJEPvtlbpI1POLWmoH/R72L4Yw0/tdSIM7WUtJCHGd twHThqZEGGklESDQTFosMa3S+p0u+uQlKX0gnJEy5uHndA7jOsT/WujXoSxUX8uO fKcqdDkBD6T7Xpy45W3sZyFxPuYMpiDEPuTPQwi9IQUxb932KRaXa8iVg1ybTtDo YFs5FAzOtJMe/K2q6dypA1ckv+wTmvgP/qhIlqODjmRDa+3Mr3Y77LpuCAEwUF1z OPa0dUg3UPHTo5KmMCMgwBjnnqSJoMUcCA7AGbM5AsteFcpgpgyTArEEz08+O+oN hhGUbYphACdioOZ7Hg/g7ZLB/GQicv7DUVzbH9BIjIRdvowSUofqHKQDj7iOtZ8= =boN0 -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/pylons-discuss?hl=en.
