|
|
|
|
|
|
by amjo324
3677 days ago
|
|
|
"We are currently utilizing advanced protocols including double salted hashes" Shudder. Whenever someone starts talking about double salting, triple salting or even just salting, it's usually a sign that they are doing password storage all wrong. Salting only thwarts attacks against pre-computed lookup (i.e rainbow) tables and most attackers don't use rainbow tables nowadays to reverse hashes. Increases in GPU power have meant that it's more practical to just enumerate through all password permutations on-the-fly than do a lookup in an enormous file. If a company is using a modern hashing algorithm purposefully designed for password storage (e.g. PBKDF2, bycrypt or scrypt), they need not even consider salts because they are automatically incorporated into the algorithm and are transparent to the implementor. In my opinion, the best article describing the current state of play with respect to password storage is the following: https://www.nccgroup.trust/us/about-us/newsroom-and-events/b... |
|
|