Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>A much shorter and safer answer - <strong>don't write your own password mechanism at all</strong>, use a tried and tested mechanism.</p> <ul> <li>PHP 5.5 or higher: <a href="http://php.net/manual/en/function.password-hash.php" rel="noreferrer">password_hash()</a> is good quality and part of PHP core.</li> <li>Older PHP versions: OpenWall's <a href="http://www.openwall.com/phpass/" rel="noreferrer">phpass</a> library is much better than most custom code - used in WordPress, Drupal, etc.</li> </ul> <p>Most programmers just don't have the expertise to write crypto related code safely without introducing vulnerabilities.</p> <p><strong>Quick self-test:</strong> what is password stretching and how many iterations should you use? If you don't know the answer, you should use <code>password_hash()</code>, as password stretching is now a critical feature of password mechanisms due to much faster CPUs and the use of <a href="http://blog.crackpassword.com/2012/07/accelerating-password-recovery-the-addition-of-fpga/" rel="noreferrer">GPUs and FPGAs</a> to crack passwords at rates of <a href="http://en.wikipedia.org/wiki/Password_cracking#Time_needed_for_password_searches" rel="noreferrer">billions of guesses per second</a> (with GPUs).</p> <p>For example, you can <a href="http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/" rel="noreferrer">crack all 8-character Windows passwords in 6 hours</a> using 25 GPUs installed in 5 desktop PCs. This is brute-forcing i.e. enumerating and checking <em>every 8-character Windows password</em>, including special characters, and is not a dictionary attack. That was in 2012, as of 2018 you could use fewer GPUs, or crack faster with 25 GPUs.</p> <p>There are also many rainbow table attacks on Windows passwords that run on ordinary CPUs and are very fast. All this is because Windows <em>still</em> <a href="https://superuser.com/a/118279/90231">doesn't salt or stretch</a> its passwords, <a href="https://www.guidingtech.com/61991/cracking-windows-10-password-prevent/" rel="noreferrer">even in Windows 10</a> - don't make the same mistake as Microsoft did!</p> <p><strong>See also:</strong> </p> <ul> <li><a href="https://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919#1581919">excellent answer</a> with more about why <code>password_hash()</code> or <code>phpass</code> are the best way to go.</li> <li><a href="https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/" rel="noreferrer">good blog article</a> giving recommmended 'work factors' (number of iterations) for main algorithms including bcrypt, scrypt and PBKDF2.</li> </ul>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload