If you're not familiar with Pwned Passwords, you should be! The service is part of Have I Been Pwned, run by Troy Hunt, and allows you to query if a password is part of an enormous collection of known passwords from previous data breaches.
Our code: password_hash($password, PASSWORD_DEFAULT)Įven so, we've now launched a couple of other changes to help our users keep their accounts more secure by encouraging the use of really good passwords! This means we're currently using the bcrypt hashing algorithm with a work factor of 10 and 128 bit salt. We use the password_hash() function in PHP to hash your password before storage. We even publish details of how we securely hash, salt and store your password in our FAQ: Data is stored in Azure with AES 256bit encryption at rest and in transit, your password is protected by a minimum of TLSv1.2 with a strong cipher suite. Alongside that, we require our own internal testing of the application, have had external code reviews and use a trusted storage provider in the form of Microsoft Azure to store all of our data. You can browse through our last 3 years of Penetration Test Reports, all of which are public for you to read. Of course, we already take a bunch of existing measures to protect the precious credentials that our users trust us with, but there's always room for improvement.
We always want to offer the most secure service we can and recently, we made some upgrades that will help our users keep their accounts more secure! As we're constantly working to improve Report URI, time is not always spent on new features and bug fixes.
0 kommentar(er)
