[WEB SECURITY] Idea: different approach to password hashing

Denis Kolegov d.n.kolegov at gmail.com
Fri Jan 31 11:36:02 EST 2014


Hi Paul,
Hi All,

Another interesting and secure solution is adding a local parameter or
unreadable local parameter proposed by Solar Designer at

http://www.openwall.com/presentations/YaC2012-Password-Hashing-At-Scale/mgp00001.html

The main idea is using Hash (User_password+ salt+local_parameter),
where local parameter is the same for all users and stored on a
dedicated device (see slides 4 and 5).

By the way, mechanism hash(server_salt + user_name) has a weakness -
more right consruction is hash(user_name+server_salt).

Thanks.

---
Sincerely,
Denis Kolegov
@dnkolegov




More information about the websecurity mailing list