Password Hashing for SocialNetworking and Finacal data [duplicate]

This question already has answers here: Closed 11 years ago.

Possible Duplicate:

Salting Your Password: Best Practices?

The company I work for is building a social network (like many other people are). While working on the user login system I was unsure what sort of hashing to use. I know never to use md5. I have an interesting way of working with sha512 and whirlpool and a changin开发者_Python百科g salt. My boss says he may want to have users finacal data connected with there login info. The language is PHP just to let you know.

---

Whatever you do, do NOT roll your own password hashing function. The very worst thing you can do is "have an interesting way of working" with crypto primitives. Algorithms like bcrypt have been developed and analysed by professional cryptographers, and they are much better at it than me, you, or just about anyone else on StackOverflow.

It is surprisingly easy to weaken your security when you think you are strengthening it.

Also, for financial information, do NOT roll your own password hashing function. It's important enough to say twice.

---

• Use a good hash function.
• Use a separate salt for each user.

I've recently seen Blowfish recommended as a best practice for password hashing, on the basis that it's slower than the SHA family so it makes brute-force guessing attacks less practical. According to Wikipedia, OpenBSD uses it for this reason.

You might also consider implementing support for OpenID so users don't have to store a password on your site at all. (That'd be a nice optional feature for a social network, though it may not be acceptable for a financial site, e.g. for regulatory reasons.)

---

Two obvious things to bear in mind which everyone prefer to forget:

1. Password hashing actually adds nothing to the site security itself. It's just for such imaginary case when your user base was stolen and used against the same users somewhere else.

2. No hashing algorithm with super-extra-random salt will protect silly passwords like 'joe', '123' or 'password'. Or even more complex passwords like 'v5dsa'.

So, you have to either torture your users with strong passwords requirement or just forget such a silly matter as a password hashing.

Or simply warn them not to use the same password for your site and your mission accomplished!

Hashing problem is way exaggerated on this site.
An average so-called "PHP programmer" thinks that if they don't use MD5 which is "broken" (though they have no idea what does it mean) - they are safe.

The poor OP is a perfect example of what I am saying:
He is doing 2 different hashes and store them separately. thinking it will help with securing their site :)

That's the problem. An average user is thinking that password hashing has something to do with site security. While it is not.