Is it a good idea to create relatively simple passwords for websites and use SHA-256 to hash them?
No, use bcrypt you fucking mong.
>>61303551
Why don't you use a hashing algorithm actually made for password hashing like bcrypt?
>>61303570
>>61303571
To clarify, this is what they are talking about: https://security.stackexchange.com/a/6415
Just treat pass "words" as random binary blobs. Use GRC secure passwords to generate one set of 64 random printable characters for every website and use whatever password manager you like to remember them.
Keep in mind many sites are stupid enough to have a maximum password length limit. You're gonna have headaches with the simple method outlined above, let's not even consider SHA-256.
>>61303655
I think he's talking about making up easy passwords and then using SHA-256 to generate a huge string to serve as the password from the site's point of view.
I seriously doubt he's writing his own authentication solution. If he is then he should strongly consider killing himself instead.
>using a technique that takes 100ms to check the passwords
Enjoy your DoS, losers...
>>61305121
>5 wrong attempts
>locked out for 5 minutes
>lock out period increases exponentially
>>61303551
No, because hashing does not increase the entropy of the passwords.
>>61305440
This is ill-advised; if you lock out, they switch to using DDoS and switch locked resources to a different IP. The correct approach when a flood is detected is to silently flag the IP's (or invalidate session tokens in some cases) to fail the checks as inexpensive and normal-seeming as possible for the duration of the "lockout," whose timer resets on any attempt.