So you want to protect user credentials?

This one’s going to be short.

I’ve been kind of puzzled about how I can best protect user credentials for some time now. I know I should hash my passwords and I know I should salt them. But, how/what do I salt? What hashing algorithm should I use? Well, I’ve come across a freakin’ treasure trove of information regarding this today, and so here are some links.

Password Storage Cheat Sheet
Has a lot of relevant information regarding some credential storing basics
How does Dropbox store credentials?
Dropbox is probably pretty flipping secure nowadays. Here’s how they do security.
Passwords for a modern era
Has some GREAT password best-practices advice. I was so excited about this I was probably about half a centimeter away from pooping myself


Use the Argon2 hashing algorithm
Use a different salt for each user. The salt DOES NOT need to be hidden. You can store it as part of the password, or in a different database entry. Make the salt at least 32 bytes in length.