06-15-2012, 08:01 PM
(06-14-2012, 04:36 PM)blazer Wrote: PBKDF2 with another column or table containing a randomly generated long salt would be quite effective IMHO
Thanks for your input. How long do you think will be effective?
I'm also concerned whether hashing (with good salt) other credentials like username, access rights, registered date can give effect. This is why I've created a poll too. Because there are some people, who advise to hash/salt them also, for the following reasons - some other plaintext information may help the intruder to single out users with privileged rights and to focus exclusive on them, rather then the whole DB dump. It will save time and by this way he will possibly get the result faster. Even registration date and/or authorization logs (by analyzing the frequency and duration) can help to exclude regular users.
The question is to what extend it is justified, and how severe it may harm the performance and reliability.