Possible Duplicate:
Would it make sense to use Bcrypt and PBKDF2 together?
How does the following password hashing scheme look to you?
iterations1 = scrypt iterations required to spend 50ms on my hardware
iterations2 = pbkdf2 iterations required to spend 50ms on my hardware
ram1 = scrypt suggested default ram requirement
salt1 = urandom
salt2 = urandom
hash = scrypt(pbkdf2(password, salt2+pepper, iterations2), iterations1, ram1, salt1+pepper)
save(username, hash, salt1, salt2, iterations1, iterations2, ram1)
This solution was prompted by my reading of this article: http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html.
This is to allow me to take advantage of the great features of scrypt, as well as allowing me to take advantage of the time tested security of pbkdf2. Is it a reasonable approach? Do you think I should limit this to only use one of the two algorithms, or do you think I should only use 1 shared salt for both algorithms?
 
     
     
     
     
    