Patrick Nielsen over at Throwing Fire has an excellent post on Storing Passwords Securely that serves as a nice coda to my previous post on Password Advice. One of the problems that I pointed out in that post was the failure of Child Support Services to hash their passwords. Nielsen explains why this is a huge mistake.
More importantly and interestingly, Nielsen explains how to do the hashing correctly. He mentions most of the common libraries and their strengths and weaknesses. It turns out that doing it correctly is a lot more subtle than just running the password through MD5 and storing the result. Even the original Unix password hashing scheme did better than that: it used several iterations of a modified DES algorithm on a salted password. Today, machines are much more powerful and those involved with password cracking are building cheap, specialized machines using GPUs that can check billions of MD5 hashes per second.
Defending against all this is non-trivial and if you’re involved with securing passwords you should definitely take a look at Nielsen’s post. It’s got a lot of good advice and information.
You might also want to take a look at Poul-Henning Kamp’s article in the acmqueue on the dangers of not salting passwords and stretching hashes as illustrated by the recent LinkedIn password exploit.