07-19-2012, 05:47 PM
You should use a good, stretched password hashing function like PBKDF2 (perhaps with SHA512), bcrypt, or scrypt. You MUST have a unique, per-user salt (those functions require it).
If you use PBKDF2, use a sane iteration count. 1 is not sane. Benchmark it on your system and find out how long it takes, and tune it to around 5ms. You up your risk of login-based denial of service slightly, but your passwords are quite secure at that point.
What language is it being written in? If PHP, there's a quite good library here: http://www.openwall.com/phpass/
If you use PBKDF2, use a sane iteration count. 1 is not sane. Benchmark it on your system and find out how long it takes, and tune it to around 5ms. You up your risk of login-based denial of service slightly, but your passwords are quite secure at that point.
What language is it being written in? If PHP, there's a quite good library here: http://www.openwall.com/phpass/