Quote (Perykles @ 25 Jun 2012 01:34)
Oh, no, thanks, I've been implementing waiting time myself. Just didn't really care about hashing functions...I thought sha256 + salt is completely enough, but I see it's time to reasearch more on this.
The most important part is to prevent attackers from etting access to the database. For the DB you can use passwords like ")) i95 JJ4`3j3;;§mkk:L2 dw32" since you do not enter have to enter them every now and then.
If someone gets full access to your server (database and all scripts), you already did something wrong. This is the part where a strong hasing function like pbkdf2 does its job.
If you use timered login, it costs too much time to try many passwords. I use a 5 seconds timer, displayed with javascript. The actual timer is done serverside and cannot be bypassed.
I use that timer for logins, account registration, contact form and password recovery. I used captchas before, but captchas are annoying and not safe at all.
Additional to that, I did more things to make the forms I just mentioned harder to fill out for bots. Humans do not notice anything, except the javascript countdown.
Any information sent to the site before the timer runs out gets ignored by the server.