Hello
 
I was asking some questions on having MD5 Password encryption , in some forum.
 
Most of coders said that plain MD5 is not a good way of storing passwords online.
 
One of them referred me to this site:
http://www.codinghorror.com/blog/archives/000953.html
 
 
The main points are listed below :
 
1). Do not invent your own "clever" password storage scheme.
I know, you're smart, and you grok this crypto stuff. But through this door lies madness-- and abominations like LMHash that have ongoing, worldwide security ramifications we're still dealing with today. Take advantage of whatever password storage tools your framework provides, as they're likely to be a heck of a lot better tested and more battle-proven than any crazy scheme you and your team can come up with on your own. Security vulnerabilities, unlike functionality bugs in your application, run deep and silent. They can lay dormant for years.
 
2). Never store passwords as plaintext.
This feels like security 101 and is completely obvious in retrospect. But not everyone knows what you know -- just ask Reddit. Store the hashes, never the actual passwords. Educate your fellow developers.
 
3). Add a long, unique random salt to each password you store.
The point of a salt (or nonce, if you prefer) is to make each password unique and long enough that brute force attacks are a waste of time. So, the user's password, instead of being stored as the hash of "myspace1", ends up being stored as the hash of 128 characters of random unicode string + "myspace1". You're now completely immune to rainbow table attack.
 
4). Use a cryptographically secure hash. I think Thomas hates MD5 so very much it makes him seem a little crazier than he actually is. But he's right. MD5 is vulnerable. Why pick anything remotely vulnerable, when you don't have to? SHA-2 or Bcrypt would be a better choice.
 
 
What do you people say about the present viart's way of storing passwords ?