On Tuesday, 21 January 2014 at 09:58:34 UTC, Uranuz wrote:
I don't feel myself confident about crypto and security questions, but I need to make password hashing and generating of session Id. And make it difficult to pick up password with bruto force or dictional with single "usual" computer. I'm slightly disappointed that then more I read different articles
MD5, SHA2, SHA3, etc, none of these are valid for password hashing. Not because of being able to generate a collision, because that doesn't matter, but because it can be brute forced easily. Use bcrypt or scrypt. If you really can't do that, then hash with a salt at least thousand times (but if done improperly this can make it actually less secure). You should always use a built-in thing though, ideally bcrypt or scrypt.
