Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Just use a random value and store it with the hashed password. The salt is there to prevent an attacker from using a rainbow table to search your whole database for known passwords. Even if they have all your hashes and all your salts the fact the salts are unique forces them to attack each hash individually.

What you're looking for is a pepper [0]

[0] https://en.wikipedia.org/wiki/Pepper_(cryptography)



Hmm, seems to me using both is optimal

horrible psuedocode follows...

  cryptchoice = len(username) % 3

  switch cryptchoice:
     case 0:
       pepper = pepper[1]
       salt = email

     case 1:
       pepper = pepper[0]
       salt = creation_time
       
     case 2:
       pepper = pepper[2]
       salt = username
       
  bcrypt(salt+password+pepper)


It's definitely wise to use both a salt and a pepper when hashing passwords. Don't bother with the switch statement, though, it's just security through obscurity. You're much better off keeping your security-related code as simple as possible so it's easier to notice bugs in it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: