David Wong

cryptologie.net

cryptography, security, and random thoughts

Hey! I'm David, cofounder of zkSecurity, research advisor at Archetype, and author of the Real-World Cryptography book. I was previously a cryptography architect of Mina at O(1) Labs, the security lead for Libra/Diem at Facebook, and a security engineer at the Cryptography Services of NCC Group. Welcome to my blog about cryptography, security, and other related topics.

← back to all posts

How to store passwords? Hash or KDF?

blog

I remember a time where people would advise to just hash the password with md5 before storing it into a database.

Then md5 became a bad choice because of the rainbow tables (precomputed tables of md5). The concept of salt helped (adding a secret value to passwords before hashing them).

But hash were never meant for encrypting passwords. As KDF. But KDF seems to be better a fit for that kind of task.

See Ty’s blog postplease stop hashing passwords”. He makes good points and advise using those following KDFs for the job:

  • bcrypt
  • scrypt
  • pbkdf2

Scrypt is the one used in Litecoin by the way.

suggested reads:
Enough with salts? blog
Database Encryption blog
How facebook hash its passwords blog
← back to all posts blog • 2014-04-22
currently reading:
How to store passwords? Hash or KDF?
04-22 blog
recent posts:
New cryptologie.net
07-20 blog
Weaponizing AI Assistants: With Their Permission
07-20 blog
What are Schwartz-Zippel circuits? How do they relate to iterative constraint systems?
05-29 blog
Short Note On Montgomery Reduction: Why Operating Modulo b?
05-24 blog
Still confused by Plonk's permutation?
03-13 blog
📖 my book
Real-World Cryptography is available from Manning Publications.
A practical guide to applied cryptography for developers and security professionals.
🎙️ my podcast
Two And A Half Coins on Spotify.
Discussing cryptocurrencies, databases, banking, and distributed systems.
📺 my youtube
Cryptography videos on YouTube.
Video explanations of cryptographic concepts and security topics.