lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Jun 2015 22:16:59 +0800
From: Ben Harris <>
Subject: Re: [PHC] Why protect against side channel attacks

On 25 Jun 2015 9:59 pm, "Krisztián Pintér" <> wrote:
> On Thu, Jun 25, 2015 at 3:17 PM, Ben Harris <> wrote:
> > But no, the salt is better considered as "sensitive" and treated in the
> > respect as the password hash.
> secret salt disables server relief

For some implementations of server relief. You could have the client send
the password and the server reply with hash(password, salt) which the
client then does stretching on.

Though I'm probably missing some obvious reason why that won't work.

Content of type "text/html" skipped

Powered by blists - more mailing lists