But wait. What if I use a 64 bit salt and then AES-encrypt the password with a key I store half on my server and half in a cookie I send to the user and then they'd have to break AES to get my passwords? How about that, Coda Hale?
Using a new and unproven hashing primitive to add a constant factor is much more secure than encrypting with a reliable, heavily researched protocol because __________________
Only experts should be allowed to innovate in the security domain. Passwords on lolcats are serious business!
We certainly don't want people in the software engineering industry to come up with new ideas, implement them, and see how they work in real life. That could lead to advancement in the field, and that would be bad, because I might have to learn something new. Shudder.
For a significant portion of users, the lolcats password is equivalent to the gmail password, which is game over. But don't let that get in the way of your learning experience, which is simply going to converge on bcrypt anyways.
Unlike most areas of software design, security is adversarial. If you innovate, you are betting your users' privacy on you personally being able to stay ahead of every attackers' ability to find flaws. This becomes unethical if you aren't even familiar with the current state of the art, because some attackers surely are.
