Changes

Separate from the password policy, we should have the following standards when it comes to storing passwords:* Passwords stored in a database should using the hmac+bcrypt function. This combination  The purpose of hmac and bcrypt storage is as follows:* bcrypt provides protection against a technical weakness hashing mechanism which can be configured to consume sufficient time to prevent brute forcing of hash values even with many computers* bcrypt but also provides a site wide key which increases can be easily adjusted at any time to increase the time amount of work and computing required thus provide protection against more powerful systems* The nonce for the hmac value is designed to brute force be stored on the file system and not in the databases storing the password hashes. In the event of a compromise of hash values due to SQL injection, the nonce will still be an unknown value since it would not be compromised from the file system. This significantly increases the complexity of brute forcing the compromised hashes considering both bcrypt and a large unknown nonce value* The hmac operation is simply used as a secondary defense in the event their is a future computational risk with bcrypt that could leak information about the password or aid an attacker