Note to reader, this is the first of a two part series. You can find the second part here.
Ever get that dreadful feeling after doing a password reset, when a site kindly emails your password back to you in cleartext? Nothing is more exceedingly stupid than emailing a user their own password, and yet I encounter these sites with uninspiring regularity.
We all know passwords should be salted and hashed, with a hashing algorithm that runs relatively slowly on current generation hardware. Obvious choices are scrypt, bcrypt or PBKDF2, but this isn’t a religious debate on how to hash. What I’m interested in is, what do you do next?