{"id":1563,"date":"2007-09-17T11:21:01","date_gmt":"2007-09-17T15:21:01","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/2007\/09\/17\/storing-passwords\/"},"modified":"2007-09-17T11:21:05","modified_gmt":"2007-09-17T15:21:05","slug":"storing-passwords","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2007\/09\/17\/storing-passwords\/","title":{"rendered":"Storing Passwords"},"content":{"rendered":"

Jeff Atwood<\/a>:<\/p>\n

\n

…storing plaintext passwords in the database is strictly forbidden—that there’s a better way, starting with basic hashes.\n<\/p>\n

Hashing the passwords prevents plaintext exposure, but it also means you’ll be vulnerable to the astonishingly effective rainbow table attack<\/a> I documented last week. Hashes alone are better than plain text, but barely. It’s not enough to thwart a determined attacker. Fortunately, the kryptonite for rainbow table attacks is simple enough—add a salt value to the hashes to make them unique.\n<\/p>\n<\/blockquote>\n

Thomas Ptacek<\/a>:<\/p>\n

\n

The problem is that MD5 is fast. So are its modern competitors, like SHA1 and SHA256. Speed is a design goal<\/a> of a modern secure hash, because hashes are a building block of almost every cryptosystem, and usually get demand-executed on a per-packet or per-message basis.\n<\/p>\n

Speed is exactly what you don’t want in a password hash function.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"

Jeff Atwood: …storing plaintext passwords in the database is strictly forbidden—that there’s a better way, starting with basic hashes. Hashing the passwords prevents plaintext exposure, but it also means you’ll be vulnerable to the astonishingly effective rainbow table attack I documented last week. Hashes alone are better than plain text, but barely. It’s not enough […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1563","post","type-post","status-publish","format-standard","hentry","category-programming-category"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/1563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=1563"}],"version-history":[{"count":0,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/1563\/revisions"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=1563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=1563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=1563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}