Alex Solari
Reputation: 127
Most secure way to hash passwords
I have that methods (pseudocode):
string predefinedsalt = "03jf0j02j302jf0j3f08h3298fbckm91jr192jr091j2-r01"
string dynsalt(user)
{
return md5(user.id)
}
And to hash password I want to use one of these ways:
md5(user.password)md5(user.password + predefinedsalt)md5(user.password + dynsalt(user))md5(md5(user.password) + dynsalt(user))
Which of these ways is more secure?
Upvotes: 0
Views: 75
Answers (1)
martinstoeckli
Reputation: 24141
None of your suggestions is save for hashing passwords. Use a slow hash function with a cost factor like BCrypt, PBKDF2 or SCrypt and let the function generate a salt from the random source of the OS.
Password cracker tools already implement such combinations with MD5 out of the box, and MD5 is ways too fast. One can calculate about 100 Giga MD5 per second with common hardware.
Upvotes: 3
Related Questions
- Secure hash and salt for PHP passwords
- Generate a Hash from string in Javascript
- Why is char[] preferred over String for passwords?
- How can bcrypt have built-in salts?
- How can I generate an MD5 hash in Java?
- Best Practices: Salting & peppering passwords?
- How should I ethically approach user password storage for later plaintext retrieval?
- Is "double hashing" a password less secure than just hashing it once?