security - Password hashing with true random salt or username salt plus pepper? -


consider following 2 methods:

hashedpassword = hash(trulyrandomsalt + password)

where hashedpassword , trulyrandomsalt stored in database.

hashedpassword = hash(applicationconstantpepper + uniqueusername + password)

where hashedpassword , uniqueusername stored in database , applicationconstantpepper stored in application config. here, uniqueusername acts salt email addresses.

i have read question has lot of great information doesn't address application constant pepper value , how improve using usernames salt.

i have used method 1 32 bit cryptographically random salt. however, i've seen method 2 used in application. first issue have method 2 ties username hash username can never change without regenerating hash.

what security issues method two? best method use?

consider following 2 methods:

the first method terrible because allows attackers hashes use oclhashcat make, typically, trillions or quadrillions of guesses per month, , second horrific because same attackers can not make same, typically, trillions or quadrillions of guesses per month, if ahold of applicationconstantpepper , usernames before ahold of passwords, can precompute guesses while work on getting passwords.

please read how securely hash passwords?, in thomas pornin states "for peppering applicable, need in special setup there more pc disks; need hsm." please read entire article context, gist of is:

  • do use pbkdf2 (also known rfc2898 , pkcs#5v2), bcrypt, or scrypt.
  • do not use single pass of hash algorithm, regardless of how seasonings are.
  • do use 8-16 byte cryptographically random salt.
  • use high iteration count/work factor machine can handle @ peak load without causing users complain.
  • for pbkdf2 in particular, not request or use more output bytes native size of hash function.
    • sha-1 20 bytes
    • sha-224 28 bytes
    • sha-256 32 bytes
    • sha-384 48 bytes
    • sha-512 64 bytes
  • if you're on 64-bit system, consider using pbkdf2-hmac-sha-384 or pbkdf2-hmac-sha-512, reduce margin of superiority attacker 2014-vintage gpu's have on you.

if pepper concept anyway, please read password hashing add salt + pepper or salt enough?, again, thomas porrin's answer in particular.


Comments

Post a Comment

Popular posts from this blog

user interface - How to replace the Python logo in a Tkinter-based Python GUI app? -

is there way change default logo, python logo , appears in window's task bar? notice have replaced default tk logo used appear in application window. i using windows 7 , python 2.6 , developing gui of tkinter. you can using winico tk extension package. winico package can used add system tray icons tk programs. the following sample shows 1 way change runtime application icon. note need provide .ico file suitable sizes of icons in on command line , need use pythonw. not change taskbar icon console when running python script. test extracted winico0.6 package python\tcl\winico0.6 folder package require winico work , ran code below using pythonw winico_test.py path\to\some\ico\file.ico . import sys tkinter import * def main(argv): root = tk() root.update() root.tk.call('package','require','winico') id = root.tk.call('winico','createfrom',argv[1]) root.tk.call('winico','setwindow',root,id...
Read more

objective c - Greedy NSProgressIndicator Allocation -

i'm using bunch of nsprogressindicators @ once (32 exact) , looks when they're animating start allocating memory no one's business greedy_run http://i62.tinypic.com/15rgmso.png i've got reports app slowdown , crash after days of uptime, , looks culprit, it's hard pinpoint bugs take days appear. i comment out call start animating, memory behaves expected. result of multiple nsprogressindicators alloc'ed on same thread? or maybe sandboxing? of constant allocations coming core animation threads, don't know else going on. custom nsview progress indicator lives in @interface myview () @property (nonatomic, strong) nsimageview *imageview; @property (nonatomic, strong) nstextview *numbertxt; @property (nonatomic, strong) nsprogressindicator *progress; @end @implementation myview - (id)initwithframe:(nsrect)framerect { self = [super initwithframe:framerect]; if (self) { // image nsimage *image = [nsimage imagenamed:@"bg.png"]; c...
Read more

how to set an OCR language in Google Drive -

i need upload image google drive including ocr feature. the problem setocrlanguage method. need specify hebrew language , based on iso 639-1 codes should "heb". i'm getting response "code" : 400, "errors" : [ { "domain" : "global", "location" : "ocrlanguage", "locationtype" : "parameter", "message" : "invalid value", "reason" : "invalid" } ], any idea should code or can list of avaliable codes?
Read more