2 comments

[ 2.8 ms ] story [ 13.3 ms ] thread
tldr; The Tide Foundation, a non-profit organisation, has developed a mechanism that it says makes passwords exponentially more difficult to crack.
Similar gains might be realized by proper use of "pepper", something I hadn't hear of until a month ago. TL;DR: You add another secret, never stored in the database, string to the password before hashing. The benefit is that a database dump does not contain the information needed to crack the passwords.

Example: bcrypt.hashpw(hashlib.sha512(password + pepper).digest(), bcrypt.gensalt(10))

https://en.wikipedia.org/wiki/Pepper_(cryptography)

Alternately, Dropbox uses AES256 using the pepper as the key as the last step. The benefit there is that you can easily change the pepper if it has been compromised.

https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-...