How to securely store passwords?
Use bcrypt
Use bcrypt, use bcrypt, and use bcrypt (more than once )......
Why does not {MD5, SHA1, SHA256, SHA512, SHA-3 and other encryption algorithms }?
These are all common hash functions. The original intention is to calculate the summary of a large amount of data as quickly as possible. This means they are excellent in ensuring data integrity, but bad in storing passwords.
The hash speed of MD5 Calculation on modern servers is about 330 MB per second. If your User Password meets the requirements of lowercase letters, numbers, and 6 characters long, you can cite the password in 40 seconds.
No other investment is required.
If you are willing to spend $2000 and a week to select a CUDA-supported graphics card, you can build a small supercomputer cluster that calculates 700,000,000 passwords per second. It is estimated that you can crack those passwords at a rate of 10% per second.
Adding salt cannot save you.
Note that it is very important that hash and salt are ineffective for dictionary attacks and brute force cracking. You can use coarse salt, or a lot of salt, or even artificial, cool, organic Himalayan powder crystal salt. However, this does not affect the speed at which attackers can crack your password.
Whether to add salt or not, as long as you use a general hash function designed for speed, you will be affected.
Bcrypt solves these problems
How can this problem be solved? Basically, it is because it slows down (the computing speed is acceptable) to the worst. It evolved from the Blowfish encryption algorithm and introduced the work factor so that you can determine the computing strength of the hash function. For the above reasons, bcrypt can follow Moore's Law. Computers develop faster. You can also increase the coefficient of work to make hash more difficult to calculate.
What is the computing strength of bcrypt compared to MD5? This depends on the coefficient of work. If the power factor is set to 12, it takes about 0.3 seconds to hash yaaa with bcrypt on my computer. On the other hand, it takes less than 1 microsecond to process with MD5.
Your password may not require that high security level, but requires faster computing speed. Fortunately, bcrypt allows you to balance speed and security.
Long story short
Use bcrypt.