===Password Storage===
Separate from the password policy, we should have the following standards when it comes to storing passwords:
* Passwords stored in a database should using the hmac+bcrypt function.
The purpose of hmac and bcrypt storage is as followsPasswords stored in a database should use [https://en.wikipedia.org/wiki/Bcrypt* bcrypt provides ].Bcrypt is a hashing mechanism which can be configured algorithm designer to consume sufficient time to prevent brute forcing of hash values even keep up with many computersMoore's law.* bcrypt General hashing algorithms such as SHA512 can be easily adjusted at any time used to increase the amount of work and thus provide protection against more powerful systemsgenerate hashes very* The nonce for the hmac value is designed to be stored fast depending on the file system and not in the databases storing the password hasheshardware used. In the event of If computer B is 10 times faster thancomputer A then a compromise of SHA512 hash values due to SQL injection, the nonce will still be an unknown value since it would not be compromised from the file systemgenerated 10 times faster on computer Bthan on computer A. This significantly increases With bcrypt this isn't the complexity of brute forcing the compromised hashes considering both bcrypt and case as it introduces a large unknown nonce valuecost* The hmac operation is simply used as factor. Using this cost factor you can specify how long it should take togenerate a hash regardless of how powerful a secondary defense in the event there computer is a design weakness with bcrypt that could leak information about the password or aid an attacker.
A sample of this code is hereThere are quite a few resources available on the internet on Bcrypt, below area few ones that I consider worth reading: https * http://codahale.com/how-to-safely-store-a-password/* http://githubyorickpeterse.com/fwenzelarticles/djangouse-sha2bcrypt-fool/* https://en.wikipedia.org/wiki/Bcrypt
==== Old Password Hashes ====
