28 May
2015
28 May
'15
2:41 p.m.
On 05/28/2015 02:29 AM, Robert Kisteleki wrote:
Bcrypt or PBKDF2 with random salts per password is really what anyone storing passwords should be using today. Indeed. A while ago I had a brainfart and presented it in a draft: https://tools.ietf.org/html/draft-kistel-encrypted-password-storage-00
It seemed like a good idea at the time :-) It didn't gain much traction though.
Or you could choose to not store any form of password at all on the server: https://datatracker.ietf.org/doc/rfc7486/ Mike