[Owasp-leaders] Algorithm Recommendations
craig.younkins at owasp.org
Tue Jul 20 13:38:06 EDT 2010
Crypto and hashing is hard. I just want to know what algorithm to use and
how it needs to be configured.
On the PythonSecurity.org wiki I have a hashing page (
http://www.pythonsecurity.org/wiki/hashing/) which discusses some of these
issues. The basic KISS recommendation is "Use a SHA-2 algorithm with a
64-bit salt and 1000 rounds." I would like to see this simple *here's what
you should use* answer to these extremely complicated questions.
Could OWASP make such a recommendation more clear? Much of this information
is scattered about and easily lets developers take an incomplete picture.
http://www.owasp.org/index.php/Hashing <- Useless
http://www.owasp.org/index.php/Guide_to_Cryptography#Hashes <- TLDR. The
most this page says about salting is "use one," but doesn't describe how to
generate a salt, how long, etc. A section on hash sizes has a generic
recommendation of bit sizes without reference to which algorithm they are
for. In reality it depends on what the algorithm is! Too complicated!!
I would really like to see such a simple statement be a current, up-to-date
recommendation by OWASP for storing passwords.
*Use a SHA-2 algorithm with a 64-bit salt and 1000 rounds.*
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders