Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You generally encrypt the hash of the password. Pepper can be thought as a form of encryption.


Who is this "you" that will "generally encrypt the hash" ?

And no, pepper is not encryption. Encryption is reversible, you can decrypt the ciphertext with the key.

Hashing isn't encryption / Confidentiality isn't integrity / RAID isn't backup / Income isn't profit

Not knowing the difference doesn't mean there isn't a difference.


I always wondered something: does using a secret key as salt and keeping the last (few) block(s) of a block cipher as output produce a reasonable hashing algorithm? maybe with three salts, one for the key, one as a prefix to the password and one as a suffix?


What the GP describes is absolutely correct. It may not be all that common but it is a known pattern. That you haven't heard of it doesn't mean it doesn't exist.

> An alternative approach is to hash the passwords as usual and then encrypt the hashes with a symmetrical encryption key before storing them in the database, with the key acting as the pepper.

https://cheatsheetseries.owasp.org/cheatsheets/Password_Stor...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: