Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes
The short version boils down to that computers are really fast and most digest algorithms (like MD5 and SHA1) are designed to run quickly, meaning that a cracker who gets his hands on your password database can process very large numbers of attempts in a reasonable period of time, which makes brute-force cracking feasible.
bcrypt, on the other hand, is designed to be slow today and easily tunable to be even slower as computers get faster. If it takes, say, a tenth of a second to bcrypt a password for your system, then users won't notice any difference, but crackers will only be able to process 10 attempts per second instead of the millions of MD5 or SHA1 hashes they could generate. End result: Greatly reduced susceptibility to brute-force cracking.
In reply to Re: Storing encrypted passwords and validating
by dsheroh
in thread Storing encrypted passwords and validating
by zerohero
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |