Home > slashdot > Are You Sure SHA-1+Salt Is Enough For Passwords?

Are You Sure SHA-1+Salt Is Enough For Passwords?

February 9th, 2011 02:47 admin Leave a comment Go to comments


Melchett writes “It’s all too common that Web (and other) applications use MD5, SHA1, or SHA-256 to hash user passwords, and more enlightened developers even salt the password. And over the years I’ve seen heated discussions on just how salt values should be generated and on how long they should be. Unfortunately in most cases people overlook the fact that MD and SHA hash families are designed for computational speed, and the quality of your salt values doesn’t really matter when an attacker has gained full control, as happened with rootkit.com. When an attacker has root access, they will get your passwords, salt, and the code that you use to verify the passwords.”

Source: Are You Sure SHA-1+Salt Is Enough For Passwords?

Related Articles:

  1. LinkedIn Password Leak: Salt Their Hide
  2. Avoiding Password Breaches 101: Salt Your Hash
  3. Australian Tax Office Stores Passwords In Clear Text
  4. Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland
  5. NYU Group Says Its Scheme Makes Cracking Individual Passwords Impossible
blog comments powered by Disqus