[Owasp-leaders] Stepping through password hashing options

William Stranathan will at thestranathans.com
Mon Jun 25 00:34:11 UTC 2012


Or start the operation with sha256(sha256(salt+password)+key) or
somesuch. Just start with a single hash which will be under the 55
bytes.

w

On Sun, Jun 24, 2012 at 7:06 PM, Adrian Hayes <adrian.hayes at owasp.org> wrote:
> Hi Jim,
>
> Thought I'd chime in with a small suggestion here. Bcrypt has a input limit
> of 55 bytes (according to the whitepaper), which is fine until someone
> decides to have a really long config salt which essentially pushes the
> user's password off the end. This would be bad, so I generally recommend
> people append any app specific salt to the end of the user's password
> (password + salt), and warn them against doing the opposite (salt +
> password).
>
> bcrypt(password + config_salt, gensalt(workfactor))
>
> I guess you could add that to your list of bcrypt caveats!
>
> --
> Adrian Hayes
> OWASP New Zealand Chapter Leader (Wellington)
>
>
>
> On 25/06/12 02:11, Jim Manico wrote:
>
> bcrypt(user salt + config salt + password, work-factor)
>
>
>



-- 
-- coleslaw


More information about the OWASP-Leaders mailing list