You are viewing revision #8 of this wiki article.
This is the latest version of this article.
You may want to see the changes made in this revision.
Obsolete ¶
This wiki has been replaced by Use crypt() for password storage.
You are viewing revision #8 of this wiki article.
This is the latest version of this article.
You may want to see the changes made in this revision.
This wiki has been replaced by Use crypt() for password storage.
For completeness
You touched all the important points in this article for storing passwords: using salt, a slow hashing algoritm, real randomness.
For completeness, don't forget to define a password policy for your application and users as well, for example:
The OWASP is your friend here: https://www.owasp.org/index.php/Main_Page
@marcovtwout
"put requirements on things like minimum password length, using uppercase and lowercase characters, etc."
Minimum length should be the only requirement. Upper/lower case and numbers are not making your passwords any more secure (the improvement is negligible). And maybe a hint that people should use passphrases instead of passwords.
And judging from this article: Password length & complexity I wouldn't use OWASP as a reference.
General passord handling policies
The comments of rtfm and marcovtwout are welcome. Such matters are beyond the scope of what I wanted to address.
I wanted to focus on the chronic problem of insecure password hashing. I am unhappy that influential tutorials, guides and books routinely demonstrate poor methods. If they are going to punt on the problem it would be better if these guides saved password in plaintext forcing users to take responsibility for researching appropriate methods.
OWASP
@rtfm: Agreed about that OWASP article.
This is a good example of why I don't use such password strength meters, they give dangerously stupid answers. "H@ckMe1" by this algorithm has a reassuringly high strength of 28 but its entropy, assuming the user's native language is English, is very low. A dictionary attack will get it.
Re:
Re: General passord handling policies
You are right, using weak encryption in tutorials without a proper explanation is misleading and should be corrected where possible.
Re: OWASP
You are right, that OWASP article you found is outdated. With the power of modern day GPU's, requirements on password strength have changed: password length is the most important (min. 12 chars), but mixed case and adding numbers/symbols still adds significant complexity. In the end, you want passwords that are easy to remember, but hard to crack.
For more guidelines as to password strength, this serves me well: http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords
If you have any questions, please ask in the forum instead.
Signup or Login in order to comment.