[Labs-l] salt in labs?

Thomas Gries mail at tgries.de
Sun Mar 17 01:37:39 UTC 2013


Am 17.03.2013 01:46, schrieb Jeremy Baron:
>
> On Mar 16, 2013 7:18 PM, "Thomas Gries" <mail at tgries.de
> <mailto:mail at tgries.de>> wrote:
> > Why not salt-per-user ?
>
> I'm not sure what you mean.
>

It is much safer to add have different salt per user.
http://crackstation.net/hashing-security.htm

section The RIGHT Way: How to Hash Properly
...
The salt needs to be unique per-user per-password. Every time a user
creates an account or changes their password, the password should be
hashed using a new random salt. Never reuse a salt. The salt also needs
to be long, so that there are many possible salts. As a rule of thumb,
make your salt is at least as long as the hash function's output. The
salt should be stored in the user account table alongside the hash.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wikimedia.org/pipermail/labs-l/attachments/20130317/3d058cb8/attachment.html>


More information about the Labs-l mailing list