I started off researching the question “What are some common encryption algorithms and their tradeoffs?” And I came across the (more general and arguably more interesting) question of “How much should we as developers be informed before we can make informed decisions?”
Encryption topics make the rounds on the internet from time to time, and many times there is a chorus of Just Use BCrypt. Cryptography can be a very involved subject that you probably don’t have time to dedicate your life to, and you could easily make dangerous mistakes if you stray from the tried and true.
On the other hand, blindly accepting decisions made for you can also be dangerous. Is it following a cargo cult to say Just Use BCrypt?
My Take On It
So: What encryption algorithm should I use? After a couple hours of due diligence, I don’t have a problem with just using bcrypt. As far as I can tell it’s well understood and is widely accepted and used. We can use that answer instead of “the internet told me to.” 🙂
How much should I be informed before I can make that informed decision? After doing SOME research, it’s not hard to at least see what the options are and decide if there’s a consensus in the community around that specific area. I feel that as a professional, it’s my responsibility to deliver the best value. Learning the deep intricacies of cryptography does not deliver as much value towards my software as performing due diligence, making a reasonable choice, educating myself on proper usage, and moving forward.
￼Otherwise… disastrous hilarity ensues!
What encryption algorithm do you use for passwords in your system? How much about cryptography did you learn before making what you felt was an informed decision?