background preloader

Secure Salted Password Hashing - How to do it Properly

Secure Salted Password Hashing - How to do it Properly
If you're a web developer, you've probably had to make a user account system. The most important aspect of a user account system is how user passwords are protected. User account databases are hacked frequently, so you absolutely must do something to protect your users' passwords if your website is ever breached. There are a lot of conflicting ideas and misconceptions on how to do password hashing properly, probably due to the abundance of misinformation on the web. IMPORTANT WARNING: If you are thinking of writing your own password hashing code, please don't!. If for some reason you missed that big red warning note, please go read it now. You may use the following links to jump to the different sections of this page. What is password hashing? hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824 hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366 hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542

​What is Heartbleed, anyway? If you're an IT professional, gadget blogger or token geek in your circle of friends, chances are, you've been hounded relentlessly over the past couple of days about "this Heartbleed thing." "Do I need to update my antivirus?" "Can I login to my bank account now?" "Google already fixed it, right?" We've heard them all, but the answers aren't all that clear or simple. How it works The problem affects a piece of software called OpenSSL, used for security on popular web servers. OpenSSL is an open-source project, meaning it was developed by really talented volunteers, free of charge, to help the internet community. Heartbleed exploits a built-in feature of OpenSSL called heartbeat. Heartbleed exploits a built-in feature of OpenSSL called heartbeat. The data that lives beyond this request "may contain data left behind from other parts of OpenSSL," according to CloudFlare. What should I do? If you need the TL;DR, here it is: do not panic. If you need the TL;DR, here it is: Do not panic. Comments

Russian Hackers Steal More Than A Billion Usernames And Passwords

Related: