Passwords: What a salt is, and what LinkedIn failed to do

Passwords: What a salt is, and what LinkedIn failed to do(wordsonaplatform.tumblr.com)

5 points by niqolas 13 years ago | 3 comments

mikeryan 13 years ago |

No. Don't use salts. Use Bcrypt.

http://codahale.com/how-to-safely-store-a-password/

x1 13 years ago | |

http://bcrypt-ruby.rubyforge.org/ - last updated 2009

http://www.mindrot.org/projects/jBCrypt/ - last updated 2010

http://bcrypt.sourceforge.net/ - updated 2002

http://news.ycombinator.com/item?id=601408 - bcrypt is now obsolete

http://stackoverflow.com/questions/615704/preferred-method-o... no mention of it

I'm not saying I disagree, I'm just frustrated that the MOST important thing in the world for web developers (storing passwords) is still the MOST half-assed process.

Where's the super-simple-recently-updated-one-line call? Use bcrypt? What about scrypt? What about salting, md5, sha1, sha256, sha512, blowfish...

Here's what I want:

String value = MrCrypto.encrypt("Pa33W0rd",MrCrypto.SECURE); //or String value = MrCrypto.encrypt("Pa33W0rd",MrCrypto.FAST);

boolean matches = MrCrypto.matches("Pa33W0rd", value);

Something like that, updated whenever a better process comes up, seamless, backwards compatible and universally accepted (Something ported to php, ruby, grails, nodejs, java, c#, python etc...). Does that exist?

bornhuetter 13 years ago |

I thought salting passwords had been crypto 101 since at least the 90s. Does anyone here know how often are big companies are still using unsalted passwords?