Password Hashing Algorithms
The cluster focuses on debates about secure password hashing practices, primarily comparing bcrypt, scrypt, PBKDF2, and Argon2 against fast hashes like SHA-256 or SHA-1, emphasizing slow, memory-hard functions to resist brute-force attacks.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Not really, bcrypt is the only bet, SHA-256 is also too fast
ok, that's a fair point. i guess i just believe bcrypt does a better job than that. :)
Can't you just use bcrypt/scrypt and be done with it?
It's not better than bcrypt for password storage; it's marginally worse. See downthread.
Why use PBKDF2 instead of bcrypt for password hashing?
bcrypt is a password hashing algorithm. It's totally fine, but newer better ones exist (scrypt and now Argon2). libsodium provides them.
Or use scrypt, which is far more secure than bcrypt. :-)
Why is bcrypt better than SHA-1?
What you describe is basically PBKDF1. If you wanted to make it slightly better, you could go with PBKDF2. It's true that bcrypt is better in some ways, but you're fine with what you're doing now. If you really wanted to improve on things you could go with scrypt which eats memory also, but it's more difficult to get things to work right.
That's the point of that article, use bcrypt because it's slow.