Hacker News new | past | comments | ask | show | jobs | submit login

As one random point: If you just hash the password, you're vulnerable to rainbow table attacks. So you want to salt the password, at the very least.

But really, what you want to do is use a framework developed by domain experts that deals with all that mess for you. Because there's a lot of surprising complexity to storing password hashes securely. So it's better to use a well-vetted library that has eyeballs and mindshare checking that it is correct.




Rainbow table attacks are significantly harder with properly hashed passwords, e.g. with bcrypt.


I think that's what they are saying, bcrypt is secure because it uses a salt and multiple rounds of hashing.


I think all bcrypt implementations implement salting per default. Same for any modern password hashing implementation.


That wasn't the point I was making. I was contrasting it with the (mis)use of e.g. SHA1 or worse, MD5.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: