[WEB SECURITY] Idea: different approach to password hashing

Denis Kolegov d.n.kolegov at gmail.com
Fri Jan 31 11:36:02 EST 2014

Hi Paul,
Hi All,

Another interesting and secure solution is adding a local parameter or
unreadable local parameter proposed by Solar Designer at


The main idea is using Hash (User_password+ salt+local_parameter),
where local parameter is the same for all users and stored on a
dedicated device (see slides 4 and 5).

By the way, mechanism hash(server_salt + user_name) has a weakness -
more right consruction is hash(user_name+server_salt).


Denis Kolegov

More information about the websecurity mailing list