Awesome. Sounds like they were doing things right.
To be blunt and brutish: No, no and *no*.
Until not that long ago, I too believed that hashing and salting was the Right Way, but it seems Moore's Law got us on that one as well. As this article explains, most general-purpose hashing algorithms - like SHA2 and (the hopefully obsolete) MD5 - are designed for speedy computation, not for password security. Salting adds a layer of security indeed, fighting the much clamored rainbow tables, but it turns out CPU cycles are easy enough to come by now to crack truly *vast* amounts of "bad" hashes in nominal time.
If you currently rely on SHAx or MD5, suspect you might one day need to design a password storage system, or simply have an interest, do read that article right away, then do some more research.
All too often, company management simply lacks the insight to understand the importance of factors like security. They want the product, and they want it as soon as possible. Things that "probably won't happen" (as an earlier poster quoted, "Why would anyone do that?") are overlooked for plain profit.
Slashdot Mirror
Awesome. Sounds like they were doing things right.
To be blunt and brutish: No, no and *no*. Until not that long ago, I too believed that hashing and salting was the Right Way, but it seems Moore's Law got us on that one as well. As this article explains, most general-purpose hashing algorithms - like SHA2 and (the hopefully obsolete) MD5 - are designed for speedy computation, not for password security. Salting adds a layer of security indeed, fighting the much clamored rainbow tables, but it turns out CPU cycles are easy enough to come by now to crack truly *vast* amounts of "bad" hashes in nominal time. If you currently rely on SHAx or MD5, suspect you might one day need to design a password storage system, or simply have an interest, do read that article right away, then do some more research.
All too often, company management simply lacks the insight to understand the importance of factors like security. They want the product, and they want it as soon as possible. Things that "probably won't happen" (as an earlier poster quoted, "Why would anyone do that?") are overlooked for plain profit.