◦
How facebook hash its passwords
blog
$cur = 'plaintext'
$cur = md5($cur)
$salt = randbytes(20)
$cur = hmac_sha1($cur, $salt)
$cur = cryptoservice::hmac($cur)
[= hmac_sha256($cur, $secret)]
$cur = scrypt($cur, $salt)
$cur = hmac_sha256($cur, $salt)
tl;dr: the md5 is here for legacy purpose, cryptoservice::hmac is to add a secret salt, scrypt (which is a kdf not a hash) is for slowing brute force attempts and the sha256 is here for shortening the output.
suggested reads: