Sleeping Cyborg

Jonathan David Page talks about whatever he happens to be thinking about. Sometimes other people join in.

Email · @parathetic (Twitter) · @jdpage (Github)
Subscribe to feed


A collection of cool people and projects.

Password Storage 2: Electric Boogaloo

by on 29 January 2012
with some comments, maybe.

So it turns out that my previous article on password storage was slightly wrong. I've fixed that now.

The basic principle is still correct, but it turns out that I was wrong about which particular hashing functions were appropriate. It appears to be a somewhat common misconception. In reality, the proper way to store a password is to use bcrypt.

MD5, SHA1, SHA2, etc. are actually designed for message integrity checking and related tasks. This means that they are designed to be pretty fast, which is great if you need to quickly check if a message has been corrupted, but it also makes a password hash easier to bruteforce.

The bcrypt hash algorithm, on the other hand, is specifically designed to be incredibly slow, with the option to make it even slower as processor speeds increase. It also has the idea of salting built-in.

I've updated the original article to reflect this information.