An incredibly popular question, viewed 17000 times in its first 3 weeks, this question has even led to a new Sec.SE meta meme.
In fact, our top meta meme explains why – the First Rule of Crypto is “Don’t Roll Your Own!”
So, with that in mind, Polynomial’s answer, delivered with a liberal dose of snark, explains in simple language:
This home-brew method offers no real resistance against brute force attacks, and gives a false impression of “complicated” security…Stick to tried and tested key derivation algorithms like PBKDF2 or bcrypt, which have undergone years of in-depth analysis and scrutiny from a wide range of professional and hobbyist cryptographers.
Konerak lists out some advantages of going with an existing public protocol:
- Probably written by smarter people than you
- Tested by a lot more people (probably some of them smarter than you)
- Reviewed by a lot more people (probably some of them smarter than you), often has mathematical proof
- Improved by a lot more people (probably some of them smarter than you)
- At the moment just one of those thousands of people finds a flaw, a lot of people start fixing it
KeithS also gives more detail:
- MD5 is completely broken
- SHA-1 is considered vulnerable
- More hashes don’t necessarily mean better hashing
- Passwords are inherently low-entropy
- This scheme is not adding any significant proof of work
Along with further answers, the discussion on this post covered a wide range of issues – well worth reading the whole thing!
Liked this question of the week? Interested in reading it or adding an answer? See the question in full. Have questions of a security nature of your own? Security expert and want to help others? Come and join us at security.stackexchange.com.
Filed under Crypto Question of the Week