[Owasp-leaders] Stepping through password hashing options

Adrian Hayes adrian.hayes at owasp.org
Sun Jun 24 23:06:04 UTC 2012

Hi Jim,

Thought I'd chime in with a small suggestion here. Bcrypt has a input
limit of 55 bytes (according to the whitepaper), which is fine until
someone decides to have a really long config salt which essentially
pushes the user's password off the end. This would be bad, so I
generally recommend people append any app specific salt to the end of
the user's password (password + salt), and warn them against doing the
opposite (salt + password).

    bcrypt(password + config_salt, gensalt(workfactor))

I guess you could add that to your list of bcrypt caveats!

Adrian Hayes
OWASP New Zealand Chapter Leader (Wellington)

On 25/06/12 02:11, Jim Manico wrote:
> bcrypt(user salt + config salt + password, work-factor)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120625/00bfe90e/attachment.html>

More information about the OWASP-Leaders mailing list