Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the recommended hashing algorithm to use for stored passwords?

Given the known weaknesses of MD5 and the recent (May 2009) weaknesses discussed in SHA1, how should new programs be salting & hashing their passwords?

I've seen SHA-256 and SHA-512 suggested.

Programming predominately in Ruby on Rails and using PostgreSQL -- but other languages and environments might also have to calculate password hashes.

like image 486
Hissohathair Avatar asked Mar 31 '10 02:03

Hissohathair


People also ask

What algorithms are currently acceptable to use when storing passwords?

PBKDF2 is recommended by NIST and has FIPS-140 validated implementations. So, it should be the preferred algorithm when these are required. PBKDF2 requires that you select an internal hashing algorithm such as an HMAC or a variety of other hashing algorithms. HMAC-SHA-256 is widely supported and is recommended by NIST.

Is SHA-256 good for passwords?

SHA-256 is one of the most secure hashing functions on the market. The US government requires its agencies to protect certain sensitive information using SHA-256.

Why is hashing the recommended technique for storing passwords?

Hashing is almost always preferable to encryption when storing passwords inside databases because in the event of a compromise attackers won't get access to the plaintext passwords and there's no reason for the website to ever know the user's plaintext password.

Is sha512 better than SHA-256?

The reason why SHA-512 is faster than SHA-256 on 64-bit machines is that has 37.5% less rounds per byte (80 rounds operating on 128 byte blocks) compared to SHA- 256 (64 rounds operating on 64 byte blocks), where the operations use 64-bit integer arithmetic.


2 Answers

SHA-256 and SHA-512 are safe for the foreseeable future. They belong to the SHA-2 family, against which no attacks have been identified so far. This wikipedia page says that Unix and Linux vendors are just now moving to SHA-2 for their secure hashing of passwords. The SHA-3 family, with even stronger algorithms, is being developed, but won't be ready until 2012 at the least.

P.S: Unless you're hiding secret agent names from governments, you'll be safe with SHA-1 as well, but if it's no trouble implementing SHA-2, just use that one instead.

like image 182
Eli Bendersky Avatar answered Sep 19 '22 05:09

Eli Bendersky


Use a slow function like bcrypt. Here is a post from the Phusion guys.

like image 32
Patrick Avatar answered Sep 18 '22 05:09

Patrick