What hashing algorithm should I use for storing passwords?

Question

I'm not really up to date with the most recent developments regarding hashing algorithms strengths; what is currently my best bet for storing passwords?

Also, how much more security do salting and key stretching offer me?

Answer 1

• MD5 has been broken.
• SHA-1 has significant weaknesses.
• SHA-2 is considered adequate at the moment.
• SHA-3 will shortly become a FIPS standard.
• Best practice is to combine password hashing with random salting and key stretching, e.g. PBKDF2.
• A good discussion on password salting, hashing, and stretching.
• My implementation of password salting, hashing, and stretching in C#.

As for the extra security provided by hashing, that depends on how many hash iterations you use. As an example, say that you decide to use 2^14 hash iterations. This increases the password's entropy by 14 bits. According to Moore's Law, each extra bit of entropy provided by the hash means approximately 18 extra months to crack the password in the same time as today. So it will be 21 years (14 x 18 months) before the iterated hash can be cracked in the same time as the raw password can be cracked today.

The extra security provided by salting is twofold: it prevents the effective use of a rainbow table, and it makes it more time-consuming to crack a large list of passwords (but not a single password).

Answer 2

Check out this.

This question over at security.stackexchange is a good discussion of bcrypt vs. PBKDF2 - Do any security experts recommend bcrypt for password storage?

The key is that a hash function alone will not prevent a precomputation attack (e.g. rainbow table). And adding a salt won't protect you from a dictionary or a brute force attack. You are much better using bcrypt or PBKDF2 than building your own scheme with a hash algorithm.