Here is the text of the NIST sp800-63b Digital Identity Guidelines.

You are viewing a single thread.
View all comments View context
5 points

Hashing passwords isn’t even best practice at this point, it’s the minimally acceptable standard.

permalink
report
parent
reply
2 points
*

What is the best practice currently?

permalink
report
parent
reply
8 points
*

Use a library. It’s far too easy for developers or project managers to fuck up the minimum requirements for safely storing passwords.

But, if you are wanting to do it by hand…

  • Don’t use a regular hashing algorithm, use a password hashing algorithm
  • Use a high iteration count to make it too resource-intensive to brute force
  • Salt the hash to prevent rainbow tables
  • Salt the hash with something unique to that specific user so identical passwords have different hashes
permalink
report
parent
reply
2 points

Salt the hash with something unique to that specific user so identical passwords have different hashes

Isn’t that… the very definition of a Salt? A user-specific known string? Though my understanding is that the salt gets appended to the user-provided password, hashed and then checked against the record, so I wouldn’t say that the hash is salted, but rather the password.

Also using a pepper is good practice in addition to a salt, though the latter is more important.

permalink
report
parent
reply
1 point

I remember hearing to not layer encryptions or hashes on top of themselves. It didn’t make any sense to me at the time. It was presented as if that weakened the encryption somehow, though wasn’t elaborated on (it was a security focused class, not encryption focused, so didn’t go heavy into the math).

Like my thought was, if doing more encryption weakened the encryption that was already there, couldn’t an attacker just do more encryption themselves to reduce entropy?

The class was overall good, but this was still a university level CS course and I really wish I had pressed on that bit of “advice” more. Best guess at this point is that I misunderstood what was really being said because it just never made any sense at all to me.

permalink
report
parent
reply
1 point
*

Sorta. Not really.

Key derivation algorithms are still hashes in most practical ways. Though they’re derived directly from block ciphers in most cases, so you could also say they’re encrypted. Even though people say to hash passwords, not encrypt them.

I find the whole terminology here to be unenlightening. It obscures more than it understands.

permalink
report
parent
reply
2 points

A KDF is not reversible so it’s not encryption (a bad one can be brute forced or have a collision, but that’s different from decrypting it even if the outcome is effectively the same). As long as you’re salting (and ideally peppering) your passwords and the iteration count is sufficiently high, any sufficiently long password will be effectively unrecoverable via any known means (barring a flaw being found in the KDF).

The defining characteristic that separates hashing from encryption is that for hashing there is no inverse function that can take the output and one or more extra parameters (secrets, salts, etc.) and produce the original input, unlike with encryption.

permalink
report
parent
reply
1 point
*

OK. How do you reconcile that with “Hashing passwords isn’t even the best practice at this point”? Key derivation functions are certainly the recommended approach these days. If they are hashes, then your earlier post is wrong, and if they aren’t hashes, then your next post was wrong.

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 17K

    Monthly active users

  • 6.1K

    Posts

  • 131K

    Comments