re: PHP Security: Passwords VIEW POST

re: HMAC is intended to be fast, which makes it ideal for crackers. For passwords you want something deliberately slow. Bcrypt is one such function, an...

Yeah, I used HashCat to attack a Bcrypt hash before. I could do roughly 10-11 thousand attempts per second.

You did take note I wasn't just HMACing and encrypting the password though, right? I don't want any confusion. I was using a password hashing function.

That's what makes Bcrypt so great. Smashing through a dictionary against a compromised database is painful, and you can make it even more painful by cranking up the difficulty factor. It's very resistant against brute force attacks.

HMAC is meant for other things, like signing, where you're not dealing with brute-force attacks, where instead performance, authentication and verification are what matters. It's not in any way intended for, nor suitable to use as a password hash.

code of conduct - report abuse