| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <35d101d0af8a$c4fa25a0$4eee70e0$@bindshell.nl> Date: Thu, 25 Jun 2015 14:06:13 -0700 From: <epixoip@...dshell.nl> To: <discussions@...sword-hashing.net> Subject: RE: [PHC] Why protect against side channel attacks > -----Original Message----- > From: Krisztián Pintér [mailto:pinterkr@...il.com] > Sent: Thursday, June 25, 2015 06:59 > To: discussions@...sword-hashing.net > Subject: Re: [PHC] Why protect against side channel attacks > > On Thu, Jun 25, 2015 at 3:17 PM, Ben Harris <mail@...rr.is> wrote: > > But no, the salt is better considered as "sensitive" and treated in the same > > respect as the password hash. > > secret salt disables server relief This isn't necessarily true (or at least doesn't have to be true.) Salt with the username for the client-side hashing, then hash with a "traditional" salt on the server-side before storing the final hash in the password database. This is precisely what LastPass does.
Powered by blists - more mailing lists