You are not logged in. Your edit will be placed in a queue until it is peer reviewed.
We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.
- 5Are you seriously suggesting to use only two or three PBKDF2 iterations for password hashing? The minimum more than 10 years ago was 1000 and now days that is considered severely insufficient! I seriously suggest you re-think your answer. Do not suggest that users store passwords with "two or three" fast hash iterations.forest– forest2018-02-10 22:46:38 +00:00Commented Feb 10, 2018 at 22:46
- Please see also security.stackexchange.com/q/211/165253 and security.stackexchange.com/q/3959/165253.forest– forest2018-02-10 22:58:31 +00:00Commented Feb 10, 2018 at 22:58
- First of all, my initial suggestion was to use another algorithm. Sha is not suitable for this kind of operations anymore. But if the person asking really wants to use sha only, what's the point of 100.000 iterations? Better use a hybrid WITH sha instead of spending resources to do that... And it's also better to take a look at the security implementations used for input filtering and validation if we are talking about exposing credentials and other information.Chris Tsiakoulas– Chris Tsiakoulas2018-02-11 10:56:42 +00:00Commented Feb 11, 2018 at 10:56
- 3The point of spending valuable resources is that the attacker must spend those valuable resources too when he's trying to brute-force the password.FINDarkside– FINDarkside2018-02-11 18:02:48 +00:00Commented Feb 11, 2018 at 18:02
- 2The point is that 100,000 iterations makes it 100,000x harder for them to brute force a hashed password, but only takes a fraction of a second for you to hash. It's a very common and highly effective technique for password strengthening. SHA256 is completely fine for password hashing as long as you use something like PBKDF2 (though it won't be as memory-hard as something like scrypt).forest– forest2018-02-12 01:42:24 +00:00Commented Feb 12, 2018 at 1:42
| Show 1 more comment
How to Edit
- Correct minor typos or mistakes
- Clarify meaning without changing it
- Add related resources or links
- Always respect the author’s intent
- Don’t use edits to reply to the author
How to Format
- create code fences with backticks ` or tildes ~ ```
like so
``` - add language identifier to highlight code ```python
def function(foo):
print(foo)
``` - put returns between paragraphs
- for linebreak add 2 spaces at end
- _italic_ or **bold**
- quote by placing > at start of line
- to make links (use https whenever possible) <https://example.com>[example](https://example.com)<a href="https://example.com">example</a>
How to Tag
A tag is a keyword or label that categorizes your question with other, similar questions. Choose one or more (up to 5) tags that will help answerers to find and interpret your question.
- complete the sentence: my question is about...
- use tags that describe things or concepts that are essential, not incidental to your question
- favor using existing popular tags
- read the descriptions that appear below the tag
If your question is primarily about a topic for which you can't find a tag:
- combine multiple words into single-words with hyphens (e.g. web-application), up to a maximum of 35 characters
- creating new tags is a privilege; if you can't yet create a tag you need, then post this question without it, then ask the community to create it for you