I'm always nervous when people say they've lost "encrypted" passwords. We need a...

tptacek · on May 1, 2013

I really hate that OWASP page (it's not as bad as it used to be --- that is, godawful --- and now it's just incoherent) and think we shouldn't be directing developers to it. If there's something "OWASP" (whatever that is) is truly bad at, it's cryptography.

ineedtosleep · on May 1, 2013

I usually rely on OWASP for general guidelines, but if that page isn't enough for you, what is? (not a rhetorical question)

What should one look into in order to fill in OWASP's gaps?

gcr · on May 1, 2013

What things would you change?

gcr · on May 1, 2013

What's wrong with it?

kijin · on May 1, 2013

> issue a warning when you create a "password" VARCHAR in MySQL

I put my salted and bcrypt'ed passwords in a CHAR or VARCHAR column named "password". Anything wrong with that? Should I change the name of the column to something like "hashed_password"?

aptwebapps · on May 1, 2013

The name of the column isn't a problem, rather it's an opportunity to nudge the developer a bit. Or that's how I read the GP's comment.

lstamour · on May 1, 2013

Indeed. It's that even if you store a hash, it might still not follow best practices getting there. Perhaps I should be petitioning sqlite, since it's more of a developer warning than a production one. But really -- it was a joke ;-)