We understand the trade-offs and risks associated with this shift.
Todd Wolfson
1

Isn’t a bcrypt with many rounds and a unique salt would render any ‘stolen hashes’ useless? The issue with ‘stolen passwords’ can be solved by much simpler means: do not allow users to set their passwords. I’m working in hosting business, where password to customer’s control panel is a huge deal for hackers. It’s third hosting company I working with, and all three do not allow ‘user passwords’. Password simply generated on JS/server side and presented to user at registration or via email. Those passwords are unique, strong, and hellishly hard to remember. If our hash database leaks out, it would be useless to anyone — try to break something like this: “orz0obEmlovid!”, “sorelinJaucVi”, “aigUshcyWraf”, “WactAd}Greed” (I generated them right now by apg).

A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.