01-24-2014, 09:50 PM
As the competition link shows, the top 3 methods are PBKDF2/RFC2898/PKCS #5, SCRYPT, and BCRYPT.
For PBKDF2, use HMAC-SHA-512 as your hash algorithm, a per-user cryptographically random salt, and use tens of thousands of iterations. If you want to be even more advanced, use a per-user random number of iterations (for instance, when a user registers, store 64536 + RAND(32768) as the # of iterations, at the same time as you store their CRYTPO_RAND() generated salt).
At least some PBKDF2(HMAC-SHA-512) test vectors are available at http://stackoverflow.com/questions/15593...st-vectors
Don't roll your own password hashing!
For PBKDF2, use HMAC-SHA-512 as your hash algorithm, a per-user cryptographically random salt, and use tens of thousands of iterations. If you want to be even more advanced, use a per-user random number of iterations (for instance, when a user registers, store 64536 + RAND(32768) as the # of iterations, at the same time as you store their CRYTPO_RAND() generated salt).
At least some PBKDF2(HMAC-SHA-512) test vectors are available at http://stackoverflow.com/questions/15593...st-vectors
Don't roll your own password hashing!