In a recent episode of Build & Analyze Marco Armet (creator of Instapaper) explained that the standard practice of salting a hash is no longer a really good way to secure passwords. CPUs (and GPUs) are so fast that they can effectively guess your salt in a reasonable amount of time*.
The solution, use bcrypt. Essentially, it’s an extremely slow hashing algorithm.
To me this seems a little bit like security through obscurity, every once in awhile – as CPU speed increases – you’ll have to update your algorithm to generate hashes even slower.
See also.
*A modern server can calculate over 300MB of hash data per second!
Leave a Reply
Only people in my network can comment.