List example password hash algorithms early

david-a-wheeler · david-a-wheeler · commit d960703e5dbb · 2022-04-15T11:33:53.000-04:00
We talk about these in detail later, but it's better to also
list them early so that people will know what we mean
(and thus are more likely to use them).

Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -1054,7 +1054,7 @@ If your software manages secrets like private cryptographic keys and passwords,
 
 * Do not put live secrets in your source code. Source code is managed by version control systems and often gets spread to more people and systems than you might think.
 
-* Store passwords used for inbound authentication with an algorithm specifically designed to do this. We will discuss these later in the course, but these kinds of algorithms are called *iterated per-user salted hash* algorithms. If done correctly, it is infeasible for an attacker to determine many passwords even if the attacker gets the encrypted password data.
+* Store passwords used for inbound authentication with an algorithm specifically designed to do this. We will discuss these later in the course, but these kinds of algorithms are called *iterated per-user salted hash* algorithms (such as argon2id, bcrypt, or PBKDF2). If done correctly, it is infeasible for an attacker to determine many passwords even if the attacker gets the encrypted password data.
 
 * Use **https://** instead of **http://**; that provides an encrypted link to prevent data leakage.
 
