The third part of this series presented PBKDF2 as a modern key derivation and password hashing algorithm. But PBKDF2 has its limitations; for best protection against password cracking the iteration count (defining the computing power needed to hash a password) should be chosen as high as possible. On the other hand, a higher iteration count also means that a login of a […]
The last part of this series presented a fairly serious password hashing algorithm using an HMAC and a salt value. However, as this article will show, this construction can be much improved, dramatically raising the “price” for an attacker to crack a password hash. How to Attack a Password Database To improve our salted HMAC construction, we need to know how an adversary […]
The first part of this article presented secure hash algorithms, the basic building blocks for password hashing. This part will now show how to apply these building blocks to construct a reasonable password hashing algorithm. Take it with a Pinch of Salt Since we now know much more about secure hash functions, can we use something like SHA-256 or maybe […]
Many applications store passwords for user authentication. Using an appropriate password hashing algorithm can efficiently protect the stored passwords even when the persisted password hashes get stolen by an attacker. Unfortunately many developers assigned with the task to implement a persistent password storage lack the necessary cryptographical background knowledge to choose a strong password hashing […]