Password hashing algorithms

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
11 years ago
With the recent password hash leak by LinkedIn/eHarmony, a lot of people are talking about password hashing algorithms.  NopCommerce uses SHA-1 with a 5 character salt that is unique to each customer.  That is much better than what LinkedIn was doing (MD5 with no salt) but it looks like even SHA-1 with salts can be brute forced in a reasonable time frame. (days)

Is there any thought of offering Bcrypt or PBKDF2?  I know PBKDF2 is built in to the .net framework (Stackoverflow switched from Bcrypt to PBKDF2).  The benefit of these is that it takes .3 seconds to generate a hash versus milliseconds for MD5/SHA-1.  That difference isn't a big deal when you're logging in but it greatly increases the time need to crack a hash.  It goes from days to thousands of years.

I was going to ask how one would handle switching hashing methods when customers are already registered and then saw that each customer has a PasswordFormatId.   Awesome!
StackOverflow - http://stackoverflow.com/users/113988/andymckenna
https://github.com/AndyMcKenna
6
11 years ago
Thanks a lot. Please vote here
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
1
11 years ago
I recently blogged about strong password encryption in detail at http://www.programminginterviews.info/2012/05/how-to-store-user-passwords-using.html
0
9 years ago
Bump , 11 votes still no change? SHA1 passwords are easy to retrieve these days with GPU accelerated farms.
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.