===Password Storage===
Separate from the password policy, we should have the following standards when it comes to storing passwords:
* Passwords stored in a database should using the hmac+bcrypt function.
Passwords stored in a database should use [httpsThe purpose of hmac and bcrypt storage is as follows://en.wikipedia.org/wiki/Bcrypt* bcrypt].Bcrypt is provides a hashing algorithm designer mechanism which can be configured to keep up consume sufficient time to prevent brute forcing of hash values even with Moore's law.many computersGeneral hashing algorithms such as SHA512 * bcrypt can be used easily adjusted at any time to generate hashes veryincrease the amount of work and thus provide protection against more powerful systemsfast depending * The nonce for the hmac value is designed to be stored on the hardware usedfile system and not in the databases storing the password hashes. If computer B is 10 times faster thancomputer A then In the event of a SHA512 compromise of hash values due to SQL injection, the nonce will still be an unknown value since it would not be generated 10 times faster on computer Bthan on computer Acompromised from the file system. With This significantly increases the complexity of brute forcing the compromised hashes considering both bcrypt this isn't the case as it introduces and a costlarge unknown nonce valuefactor. Using this cost factor you can specify how long it should take togenerate * The hmac operation is simply used as a hash regardless of how powerful secondary defense in the event there is a computer is.design weakness with bcrypt that could leak information about the password or aid an attacker
There are quite a few resources available on the internet on Bcrypt, below area few ones that I consider worth readingA sample of this code is here: * httphttps://codahalegithub.com/how-to-safely-store-a-password/* http:/fwenzel/yorickpeterse.com/articles/usedjango-bcrypt-fool/* https://en.wikipedia.org/wiki/Bcryptsha2
Keep in mind that while bcrypt is secure you should still enforce good passwords.
