re: PHP Security: Passwords VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Yeah, I used HashCat to attack a Bcrypt hash before. I could do roughly 10-11 thousand attempts per second. You did take note I wasn't just HMACin...

That's what makes Bcrypt so great. Smashing through a dictionary against a compromised database is painful, and you can make it even more painful by cranking up the difficulty factor. It's very resistant against brute force attacks.

HMAC is meant for other things, like signing, where you're not dealing with brute-force attacks, where instead performance, authentication and verification are what matters. It's not in any way intended for, nor suitable to use as a password hash.

code of conduct - report abuse