{"id":1174,"date":"2016-06-14T22:31:54","date_gmt":"2016-06-15T04:31:54","guid":{"rendered":"http:\/\/jaredrobinson.com\/blog\/?p=1174"},"modified":"2016-06-14T22:31:54","modified_gmt":"2016-06-15T04:31:54","slug":"how-to-store-passwords-use-argon2","status":"publish","type":"post","link":"https:\/\/jaredrobinson.com\/blog\/how-to-store-passwords-use-argon2\/","title":{"rendered":"How to store passwords: Use Argon2"},"content":{"rendered":"

If you’re designing a service that requires passwords for authentication, store them using the Argon2<\/a> or bcrypt<\/a> password hashing functions. Don’t use MD5, SHA-1, SHA-2 or SHA-3 — they’re not designed to keep passwords secure against attackers that gain access to your password database.<\/p>\n

Reference article: How LinkedIn\u2019s password sloppiness hurts us all<\/a> by Jeremi M. Gosney<\/p>\n

\n

If [online services] aren\u2019t using something like bcrypt or Argon2 for password storage, then they’re doing things very, very wrong. But slow hashing is no longer as effective of a solution as it could have once been had it only been adopted sooner.<\/p>\n

When you suspect a password database has been compromised, even just in part, you cash in on that insurance policy [of using forced password resets] immediately by activating your incident response team and your public relations team.<\/p>\n<\/blockquote>\n

What is Argon2? It’s the winning algorithm from the Password Hashing Competition<\/a>. Argon2 has been added to recent versions of libsodium<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you’re designing a service that requires passwords for authentication, store them using the Argon2 or bcrypt password hashing functions. Don’t use MD5, SHA-1, SHA-2 or SHA-3 — they’re not designed to keep passwords secure against attackers that gain access to your password database. Reference article: How LinkedIn\u2019s password sloppiness hurts us all by Jeremi … <\/p>\n

Continue reading “How to store passwords: Use Argon2”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,16,17,30],"tags":[],"class_list":["post-1174","post","type-post","status-publish","format-standard","hentry","category-programming","category-security","category-tech","category-tools"],"_links":{"self":[{"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/posts\/1174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/comments?post=1174"}],"version-history":[{"count":7,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/posts\/1174\/revisions"}],"predecessor-version":[{"id":1181,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/posts\/1174\/revisions\/1181"}],"wp:attachment":[{"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/media?parent=1174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/categories?post=1174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jaredrobinson.com\/blog\/wp-json\/wp\/v2\/tags?post=1174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}