Assault on the Hash (or how to make secure your passwords)

In a recent episode of Build & Analyze Marco Armet (creator of Instapaper) explained that the standard practice of salting a hash is no longer a really good way to secure passwords. CPUs (and GPUs) are so fast that they can effectively guess your salt in a reasonable amount of time*.

The solution, use bcrypt. Essentially, it’s an extremely slow hashing algorithm.

To me this seems a little bit like security through obscurity, every once in awhile – as CPU speed increases – you’ll have to update your algorithm to generate hashes even slower.

See also.

*A modern server can calculate over 300MB of hash data per second!

Leave a Reply