Hi Bill.
I’m glad to see you cover a lot of important topics about dealing with passwords in Chapter 20, “Readable Passwords”.
However, I have to admit I was a bit crestfallen to see that password-specific hashing algorithms, e.g. Argon2, PBKDF2, and Bcrypt, only receive a passing mention in the very last paragraph of the chapter, and only then with the qualifier of “if you need to develop very secure systems, you should move on to more advanced techniques…”
I propose that the chapter encourage readers to consider password-specific hashing algorithms as their first choice, and only then fall back to rolling their own with SHA + salt if circumstances dictate. In my experience, using a dedicated package such as bcrypt is less intimidating, less likely to screw up, is better documented, and results in less code.
OWASP’s Password Storage Cheat Sheet provides a lot more detail and justification for why password-specific hashing algorithms should be the first choice for any system tasked with storing passwords:
Also, regarding security, perhaps the “password reset” email examples on pages 235-6 can be updated to use “https” instead of “http” in the links.
Thanks again, Bill. I think all your hard work in creating a new edition of the book will greatly benefit the industry.