A colleague executed our code for password hashing after a lot of research, including recommendations https://crackstation.net/hashing-security.htm
The resulting password hash includes salt (which should be in order and necessary to verify the password), and also includes an iteration counter that is high for key stretching.
It is good that the iteration counter is stored in the database, since unit tests can use lower values, and if we change the counters, the existing stored password hashes can still be checked. But I wonder if this number can be included, because it would not be easier to attack with brute force if the iteration counter were known? It seems to me that this will prevent many additional checks against each iterative account, which will be tested gradually.
source
share