re: Explain Hashing + salting Like I'm Five VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Here's an example you're the owner of the data and I'm the nasty hacker. Someone signs up for your site and uses the password 'password' When you...
 

Gotta drop this in there: Don't use MD5 for password hashing. It's becoming increasingly less secure over time.

 

Agree, most implementations use bcrypt or scrypt these days

 

There is a general misconception about what the password hashing function should be.

It must be the (contextually reasonably) slowest function to compute. That's why you pick algorithm that does hashing function thousand's of times in a row consuming output as it's next input.

Pick a fast hashing function (the one that is simple, can be accelerated by CPU instruction set or GPU or even FPGA or ASIC programmed) and your passwords are no more safe than using plaintext. It's just a matter of some time.

You aim for security and if a user's login takes 1 second to complete due to necessity to calculate a computationally intensive hash function it's fine because logins happen occasionally and you know that nobody would be able to precompute your hash algorithm rainbow tables with something like 1 kH/s in next 10 years.

Edit:
CRC, MD5, SHA - those are all hashing functions aiming at speed. To calculate unique hash for a chunk of data. They are often used as integrity hashes. You receive a data (a file, a network packet, etc.) that has hash included. You can easily and quickly calculate the hash yourself with these functions and compare it to included hash to verify the file was not tampered with/corrupted during transit.

code of conduct - report abuse