hashing a password is not acceptable

***[tom-md's reddit comment (#1):](https://www.reddit.com/r/crypto/comments/73o1bd/web_crypto_api_basic_encryption_correct_usage/dnrso5z/)***
> *Hashing a password is not an acceptable way to create a crypto key from a password. Use something like scrypt. Generate a random salt for the encrypt operation to use in scrypt and store it with the ciphertext (along with the IV, payload)*

***[ehochx adds this in a reddit comment:](https://www.reddit.com/r/crypto/comments/73o1bd/web_crypto_api_basic_encryption_correct_usage/dnryoee/)***
> *Don't hash the password, generate a random salt and use a proper KDF*

***[RenThraysk adds this:](https://www.reddit.com/r/crypto/comments/73o1bd/web_crypto_api_basic_encryption_correct_usage/dns2qyx/)***
> *Password hashing, WebCrypto has PBKDF2 which is more suitable.*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

hashing a password is not acceptable #1

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

hashing a password is not acceptable #1

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions