Is the c++ hash function reasonably safe for passwords?

Question

Is the built in hash function in c++ reasonably safe for hashing passwords? For instance something like the below.

#include <iostream>
#import <string>

int main ()
{
    std::hash <std::string> hash;

    std::string passwordGuess;
    unsigned long hashedPassword = 1065148159544519853; // hash of password

    std::cout << "Enter your password: ";
    std::cin >> passwordGuess;

    unsigned long hashedPasswordGuess = hash(passwordGuess);


    if (hashedPasswordGuess  == hashedPassword) {
        std::cout << "Password is correct!" << std::endl;
    } else {
        std::cout << "Password is wrong!" << std::endl;
    }
}

Is this reasonably safe or not?

Answer 1

It is nowhere near reasonably safe, as this hash function is not intended to be used for cryptographic purposes.

Actually, even hash functions intended to be used for cryptographic purposes (such as the now-broken MD5, good old SHA1 and even the very new SHA3) are not meant for hashing stored passwords; this is because they are designed to be fast, whereas for password security you want a hash designed to be slow in order to limit the damage if the hashes are leaked.

If you intend to hash passwords you should look up C++ (or C, as you they will be probably easier to find) implementations of bcrypt or PBKDF2; I know that Crypto++ does at least the latter.

For a detailed analysis of hashing password, see also how to securely hash passwords.

Answer 2

When people talk about hashing passwords, it is not in the hashtable sense. A password hash should be a one way function. The cryptographic hashes, like SHA1, are what you want to use.

There are many techniques to hashing right. You need to include a salt to prevent dictionary attacks. And you want to hash multiple (4k to 16k) times.