If you're salting and hashing your passwords, you're doing it wrong

There was an interesting article on Salted Password Hashing - Doing it Right that appeared on HN recently.

I thought this was an interesting article. It appears to cover the underlying cryptography fairly well. It looks like a great introduction for anybody who wants to study more in this area.

However, there is a second audience, for whom I think the article is less helpful. This is the audience of developers who just want to write software that is secure. For this particular audience, I feel that the article's "Doing It Right" title is entirely incorrect. There is an abstraction layer in the middle which password storage implementors should be using, but seems to be widely missed amongst them.

To do it right, use a key derivation function.

We don't describe how to do encryption right by going into details of how ciphers are implemented. Instead, we present the high-level building blocks, with instructions. Doing encryption right, step 1: use GPG. Step 2: there is no step 2. Need more access to the internals? Then learn about the different generally accepted algorithms and cipher modes, and the myriad ways of getting it wrong. Interested in the cryptography itself? OK, then learn about how ciphers themselves work.

So in the same way, to store passwords right, use a key derivation function. Don't worry about the details of how they are implemented, unless you're interested in studying them. At that stage, remember that you're studying an implementation, not actually implementing this stuff in production.

The most important thing to know is that key derivation functions exist, that you should implement one of the accepted ones (with accepted parameters), and that you should write your code so that you can plug in or migrate to other KDFs.

Questions you should be asking are "Is KDF x widely accepted as safe to use?" and "What parameters should I be using?". Focus on using an accepted KDF and on using that KDF correctly.

If you hear about a password database being compromised, don't hear "Were the passwords hashed?" and respond with "Ah, but were they salted?". Ask "what key derivation function were they using, and with what parameters?"

This is why salting and hashing passwords is wrong. Implementations should be calling out to an accepted KDF, without regard to what the KDF is actually doing. Perhaps it will salt and hash, but that is merely an implementation detail that is not the concern of the application handling the passwords.

Read more on Wikipedia about key derivation functions and specific KDFs such as PBKDF2, bcrypt and scrypt. And forget the words "salt" and "hash" when you are talking about implementing password storage, as opposed to the implementation of KDFs themselves.