Ask HN: Do You Disclose Your Password Encryption Policy to Users
For example, a privacy policy might read like this;
“Under no circumstances will we store your password as plain text. All passwords are encrypted with the Bcrypt hashing function and individual random password salts. If your password is 123456, your password would be stored in our database in a form similar to; salt:f11ba67d8a hash:$2a$08$jRAovt7x1lgHjMGsZstzUukaE4Nga6jxfneZXPSMc6/Uhlx.rY4ri Therefore, our website - nor anyone else - will know your your password.”
Question #1: Do you think publicly disclosing password hashing is a good policy?
Question #2: Would disclosing password hashing policies disincentivise hackers from attempting to hack your password database?
PS: This is not a question about which password hashing scheme or use of salts is best.
1 comment
[ 2.4 ms ] story [ 10.4 ms ] thread