Re: Public Safety Announcement: On the subject of password security
Please, service providers... Use the best possible solution available!
If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!
Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)
Thanks for listening, do shout at me if you think this is stupid advice!
If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!
Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)
Thanks for listening, do shout at me if you think this is stupid advice!
Of course users should:
1) Have a 15+ character password.
2) Have that password contain a minimum of 2 digits, 2 upper, 2 lower, 2 symbols, none repeating
3) Have that password be unique to that site
Then you have very little to worry about, unless of course it is stored in clear text.