His post has a lot of words, so I'll summarize:
- Storing passwords in plaintext is obviously bad (most developers already know this)
- Using a salted-hash such as MD5 or SHA-1 isn't much better. (too easy to brute force)
- Your other clever password storage ideas are probably bad too.
- Use bcrypt instead. It was created by real cryptographers for just this kind of thing.
Here's bcrypt for Java. It has a nice simple API:
// Hash a password for the first time
String hashed = BCrypt.hashpw(password, BCrypt.gensalt());
// Check that an unencrypted password matches one that has
// previously been hashed
if (BCrypt.checkpw(candidate, hashed))
System.out.println("It matches");
else
System.out.println("It does not match");
I'm sure other popular languages have similar libraries.
