Nous avons lu pour vous un article très intéressant sur les meilleures pratiques et procédures utilisées pour sécuriser la sauvegarde des mots de passe.
Nous parangons avec vous cet article dont voici le début :
Time and time again you hear about a company having all of their users’ passwords, or « password hashes », compromised, and often there’s a press response including one or more prominent security researchers demonstrating how 1,000 users had the password « batman », and so on. It’s surprising how often this happens considering we’ve had ways to do password authentication that don’t expose users’ passwords, or at least makes it significantly harder to crack them, for several decades.
Personally, I think it boils down to a fundamental misunderstanding about what cryptographic hash functions are and what they are—or should be—used for, and a failure on the part of security researchers and advocates, myself included, to properly explain and emphasize the differences. So here’s an attempt to explain why « SHA 256-bits enterprise-grade password encryption » is only slightly better than storing passwords in plain text.
If you are familiar with cryptographic hash functions like MD5, SHA-1 and SHA-256, and perhaps even use them for password authentication, please jump to Cryptographic Hash Functions Are Not Password Hash Functions.