Before I begin I want to point out that this is one of the very, very, very few times I will ever take such a hard stance on a subject. The reason I do is because it is absolutely one of the most important things in our society that we could easily get right, but yet somehow still don’t (as noted by your story).
First, let’s talk definitions. What you’re talking about is encryption. Yes, encryption is variable length because you need to be able to reliably decrypt the encrypted data back into its original form. This works really well for things like HTTPS, text messaging, and other stuff that needs to be decrypted.
Hashing is not encryption. There is absolutely zero use-case for needing to decrypt someone’s password; this is why passwords are to be hashed and not encrypted (yes, the distinction very much matters). As such, hashing (or 1-way hashing) is fixed-length based on the type of algorithm used. MD5 I believe uses a 128-bit hash, where as SHA-1 uses 160-bit, and SHA512 uses 512-bit hashes. The bigger the hash the less likely you’ll run into something called collisions. A collision in hashing means that two (or more) values generate the same hash. That’s very bad.
Now, any “developer” that uses encryption for password storage, or tries to roll their own system, should be fired, physically branded with a hot iron on their forehead with the letter A (for dumbass), and sent back to grade school, because I guarantee you they’re doing it absolutely wrong, and they are one of the many preventable reasons why we have so many fucking data breaches these days.
Don’t roll your own encryption or password hashing. Don’t. I don’t care. There is absolutely no reason to do so. If you think there is, quit and go work a job more suited for your level of intelligence.
Before I begin I want to point out that this is one of the very, very, very few times I will ever take such a hard stance on a subject. The reason I do is because it is absolutely one of the most important things in our society that we could easily get right, but yet somehow still don’t (as noted by your story).
First, let’s talk definitions. What you’re talking about is encryption. Yes, encryption is variable length because you need to be able to reliably decrypt the encrypted data back into its original form. This works really well for things like HTTPS, text messaging, and other stuff that needs to be decrypted.
Hashing is not encryption. There is absolutely zero use-case for needing to decrypt someone’s password; this is why passwords are to be hashed and not encrypted (yes, the distinction very much matters). As such, hashing (or 1-way hashing) is fixed-length based on the type of algorithm used. MD5 I believe uses a 128-bit hash, where as SHA-1 uses 160-bit, and SHA512 uses 512-bit hashes. The bigger the hash the less likely you’ll run into something called collisions. A collision in hashing means that two (or more) values generate the same hash. That’s very bad.
Now, any “developer” that uses encryption for password storage, or tries to roll their own system, should be fired, physically branded with a hot iron on their forehead with the letter A (for dumbass), and sent back to grade school, because I guarantee you they’re doing it absolutely wrong, and they are one of the many preventable reasons why we have so many fucking data breaches these days.
Don’t roll your own encryption or password hashing. Don’t. I don’t care. There is absolutely no reason to do so. If you think there is, quit and go work a job more suited for your level of intelligence.