What's the Best Hashing Algorithm for Storing Passwords?
HTML-код
- Опубликовано: 8 сен 2024
- If you’ve had to store sensitive user information in a database, you’ve probably heeded the advice to “just use bcrypt”. But do you know why? What other choices are there? In this video we take a deep look at bcrypt, pbkdf2, scrypt and argon2!
Links:
Big Machine: bit.ly/3AIbn6Q
Michele's blog post on hashing: / password-hashing-pbkdf...
The fact that a video with this level of comedy (+ education) doesn't have more views is a crime against humanity I ain't gonna lie
You produce the content of somebody with 1,000,000 subscribers.
I hope that one day your sub count will match with your content.
Thanks Phil! Yeah I been at this awhile but unfortunately been ignoring my channel. I'll get there!
One thing I heard some people say when asked about SHA-1 not being generating secure hashes, Someone asked about SHA-256 and said that it was significantly better, but there might still be risk. So, if that is the case, then that made me thing, "If it isn't secure enough, then someone will eventually is going to make an even more secure version of SHA... right?" And then that is when I found SHA-512. I read some people's opinion on it and they said that it was "overkill".
That really got me thinking... why is it that when something like a hashing method, meant to protect data, has a flaw people point it out and hate that it is breakable... but when they do find something more secure (SHA-512, for example), they turn it away and call it 'overkill'? Isn't there no such thing as overkill when it comes to protecting your data?
This is a very good question, and the answer is based on two different things. The first is that hashes don't always protect your data - sometimes they just identify it. For instance, with a Git commit - that uses SHA-1 as the identifier with the idea that it will always be unique given your repo and code (it's a hash of the previous commit id, the date, and some other things). You want this to be super fast, thus the use of SHA-1. Some have protested because SHA-1 has collisions, but Linus has pushed back saying 256 and 512 are complete overkill and speed outweighs it.
With passwords you don't want speed - you want a burden of some kind. When talking about security, you want to mitigate rainbow/preimaging attacks, which means you want to make it as hard as possible to create the hash in the first place without making your users angry. This is a whole different set of concerns than using the SHA family. Given their speed, SHA hashes should *never* be used for passwords.
I'm so impressed with your presentation skills that combine competence and humor. Thanks for making this video.
You deserve more subs
LOL thanks - getting there! I just booted my channel back up so... hopefully in time...
I hate it when solutions to real problems as covered in this video aren't popular like the "hello world" of most content creators.
Use a Bcrypt/Argon2 hash canoli. As long as the settings you choose are not too costly, issues resolved.
great video ! keep it up
Do you believe that Argon 2 will be more resistant against the increases in computing speeds than Bcrypt?
I am making a research paper for school about Bcrypt and examining the extent data we computing speeds will effect it and I would love your input on what could potentially happen to Bcrypt.
Great content! Thanks for sharing.
Thank you for the "ho ho ho" clarification
amazing video!
yeah bcrypt my beloved
"then you get an e-mail from troy hunt" fuck
"encryption is bad hashing is good." Hashing is a encryption method tf
Yeah you go ahead and tell people you encrypted passwords in your database friendo... good "Well Actually" tho
@@big-machine im not sure what you mean exactly
That highly depends on your definition of encryption, however most people generally tend to understand that encryption = two way cipher, and hashing = one way cipher. Depending on which definition of encryption you look at, 'technically' you _could_ be correct, but also that's not generally how these terms are used and I don't think anybody is being confused or misinformed by this statement. Either way I don't know why it even matters, it's a stupidly insignificant technicality that has nothing to do with the point of the video.
encryption is not one way