re: How to Process Passwords as a Software Developer VIEW POST

TOP OF THREAD FULL DISCUSSION
re: I would go so far as to strongly recommend against engineers implementing the password hashing routine for themselves. That requires some additiona...
 

Agreed, developer shouldn't even be doing the password hashing. I entirely forgot about the 1-2 passes issue with Argon2i, thanks for reminding me. And yes, it's about time we get TLS 1.2 and newer pushed to everybody.

To mitigate the attack there needs to be 3 or more passes with 10 or more passes over memory.

And again, too complicated for your average web developer who barely do any math in their day-to-day job who've got deadlines to meet. :)

I'm trying to find more edge cases, but no avail. Although I've already done massive amounts of research, trying to put together a post with everything about passwords and all the edge cases that come with is a little difficult. There is definitely a long list of issues and practices to avoid.

code of conduct - report abuse