[OWASP-cheat-sheets] OWASP Cheat Sheets Question - Password Hashing

Kenneth Po kxp43 at case.edu
Mon Mar 2 03:19:35 UTC 2015

Dear OWASP Mailing List,

Hello. With regards to password hashing algorithms, it looks like there is
inconsistent advice. It is a bit confusing when making recommendations and
creating prototypes for my applications.

Should I recommend using PBKDF2 for the password hashing algorithm?
Are SHA1/SHA-256 references to stale or outdated documentation?

1. There are references to SHA1 and SHA-256 on this web page:

*Only use approved public algorithms such as AES, RSA public key
cryptography, and SHA-256 or better for hashing.*

2. However, this document does not mention anything regarding SHA, AES,
RSA, etc...

*Leverage an adaptive one-way functionAdaptive one-way functions compute a
one-way (irreversible) transform. Each function allows configuration of
‘work factor’. Underlying mechanisms used to achieve irreversibility and
govern work factors (such as time, space, and parallelism) vary between
functions and remain unimportant to this discussion.Select:PBKDF2 [*4] when
FIPS certification or enterprise support on many platforms is
required;scrypt [*5] where resisting any/all hardware accelerated attacks
is necessary but support isn’t.bcrypt where PBKDF2 or scrypt support is not

Thanks in advance for your clarification and/or consideration to this

Kenneth Po
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20150301/e1214ba0/attachment.html>

More information about the OWASP-cheat-sheets mailing list