<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Thank you for your input!<br>
    <br>
    > Should I recommend using PBKDF2 for the password hashing
    algorithm? <br>
    <br>
    PBKDF2, bcrypt or scrypt ar the goto algorithms for password
    storage.<br>
    <br>
    > Are SHA1/SHA-256 references to stale or outdated documentation?
    <br>
    <br>
    The are referring to hashing in general, not specific to password
    storage.<br>
    <br>
    > 1. There are references to SHA1 and SHA-256 on this web
    page: <a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet">https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet</a><i><br>
      > Only use approved public algorithms such as AES, RSA public
      key cryptography, and SHA-256 or better for hashing.</i><br>
    <br>
    I updated this. better?<br>
    <br>
<a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php?title=Cryptographic_Storage_Cheat_Sheet&diff=190828&oldid=187902">https://www.owasp.org/index.php?title=Cryptographic_Storage_Cheat_Sheet&diff=190828&oldid=187902</a><br>
    <br>
    Aloha,<br>
    Jim<br>
    <blockquote
cite="mid:CAABd0sBOB4KAdRKmRxcEaYNrdcU6_HjSn+M4hW0ByR37JM0=ow@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div dir="ltr">
          <div>
            <div>
              <div><br>
                2. However, this document does not mention anything
                regarding SHA, AES, RSA, etc...<br>
                <a moz-do-not-send="true"
                  href="https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet"
                  target="_blank">https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet</a><br>
                <br>
                <i>Leverage an adaptive one-way function<br>
                  <br>
                  Adaptive one-way functions compute a one-way
                  (irreversible) transform. Each function allows
                  configuration of ‘work factor’. Underlying mechanisms
                  used to achieve irreversibility and govern work
                  factors (such as time, space, and parallelism) vary
                  between functions and remain unimportant to this
                  discussion.<br>
                  <br>
                  Select:<br>
                  <br>
                  PBKDF2 [*4] when FIPS certification or enterprise
                  support on many platforms is required;<br>
                  scrypt [*5] where resisting any/all hardware
                  accelerated attacks is necessary but support isn’t.<br>
                  bcrypt where PBKDF2 or scrypt support is not
                  available.</i><br>
              </div>
              <div><i><br>
                </i></div>
              <div><br>
              </div>
              <div>Thanks in advance for your clarification and/or
                consideration to this request.</div>
              <font color="#888888">
                <div><br>
                </div>
                <div>Kenneth Po</div>
              </font></div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>