OhRyan.ca

Made my first post over at the company blog. Thought it would only be appropriate to give it some link love over here. My thoughts on the future of password: Rethinking Passwords.

In a recent episode of Build & Analyze Marco Armet (creator of Instapaper) explained that the standard practice of salting a hash is no longer a really good way to secure passwords. CPUs (and GPUs) are so fast that they can effectively guess your salt in a reasonable amount of time*.

The solution, use bcrypt. Essentially, it’s an extremely slow hashing algorithm.

To me this seems a little bit like security through obscurity, every once in awhile – as CPU speed increases - you’ll have to update your algorithm to generate hashes even slower.

See also.

• Marco’s Blog Post.
• His PHP implementation of bcrypt.

*A modern server can calculate over 300MB of hash data per second!

Why won’t my bank allow me to use non-alpha-numeric characters in my online banking password?!
Don’t they want my password to be as secure as possible?