[–] PMYB2 2 points

do you hash your users passwords?

[–] x0x7 1 point Edited

Yep. pbkdf2 with a random number of cycles plus per user salt so it's impossible to be rainbow tabled.

It's a random range for the cycles so everyone will get a high number. The point is that someone can't just say, oh, 100,000 cycles. I have a rainbow table for just that. The salt should also take care of it but who knows, some attack in the future might reduce it's value if the salt is known.

Edit: Just looked at my code. It's 100,000 cycles plus or minus 256.