undefined | Better HN

0 pointspc868y ago0 comments

Agree that OWASP's crypto advice is generally garbage, but is there a better salt policy than what they have?

    [protected form] = [salt] + protect([protection func], [salt] + [credential]);

0 comments

schoen8y ago

I assume tptacek's objection is that salts need to be unique (at most, unpredictable enough to discourage precomputation), and don't need to be produced by a CSPRNG.

Edit: or maybe something else from the editorial history of the document?

tptacek8y ago

There's that, but more generally and importantly, application developers who take special measures to generate salts tend not to be using secure password hashing algorithms --- the libraries for things like bcrypt tend to handle this for you.

schoen8y ago

Maybe akin to the "typing the letters A-E-S" in https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...?

astockwell8y ago

"Just use bcrypt" (or scrypt). Salting is baked in.

j / k navigate · click thread line to collapse

0 pointspc868y ago0 comments

Agree that OWASP's crypto advice is generally garbage, but is there a better salt policy than what they have?

    [protected form] = [salt] + protect([protection func], [salt] + [credential]);

0 comments

schoen8y ago

I assume tptacek's objection is that salts need to be unique (at most, unpredictable enough to discourage precomputation), and don't need to be produced by a CSPRNG.

Edit: or maybe something else from the editorial history of the document?

tptacek8y ago

schoen8y ago

Maybe akin to the "typing the letters A-E-S" in https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...?

astockwell8y ago

"Just use bcrypt" (or scrypt). Salting is baked in.

j / k navigate · click thread line to collapse