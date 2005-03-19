from the push-it dept.
You heard me. You know how weak your user’s passwords likely are. You know your users are almost certainly sharing their passwords with multiple sites. You know that a compromise of your database could lead to significant damage coming to them. You know this because it happens all the time, all over the web.
You have a duty to protect the security and privacy of your userbase. They’ve entrusted you with their data, and it is on you to keep it safe. So why aren’t you doing everything possible to accomplish that task? For this blog, we are going to talk exclusively about password storage.
If you ask just about any security professional in the world how best to store a password, you’re liable to hear something about using a cryptographically secure hashing function “with a salt.” Some will go so far as to mention algorithms like Bcrypt or Scrypt. Very few will make any mention to how password policy plays a significant part in ensuring the security of any stored values.
But almost none of them, will even mention the word “pepper.” Now I suspect this isn’t malicious, (obviously). I think even most security professionals simply aren’t informed enough to know or act with regard to this concept.
So today we’re gonna work on that…
(Score: 3, Informative) by isostatic on Tuesday March 05, @01:41PM (1 child)
So "Pepper" is a hard-coded (or at least not stored in the same location as user data) salt stored in the application, which means that even if the user data, including salt, is compromised, the password still can't be brute forced unless the pepper is also compromised.
(Score: 3, Informative) by bradley13 on Tuesday March 05, @01:49PM
Yes, and it's really not a bad idea. Not as earth shattering as TFA implies, but not bad at all. The trick would be to keep the pepper as secret as possible: read it from a protected file store or something. Joe Random Intern shouldn't have access to it.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Tuesday March 05, @01:53PM (2 children)
The headline contains both "you are" and its contraction "you're".
(Score: 2) by takyon on Tuesday March 05, @01:58PM
If you are not peppering your headlines with contractions, you're doing it wrong
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1) by shrewdsheep on Tuesday March 05, @01:58PM
Hm..., maybe it is a case of peppering. Contract or don't contract, but based on a secret from somewhere (elusive).