[tptacek]

OWASP's cryptography advice is almost invariably awful, and that password storage thing is among the worst of it. It's better now than it was when it recommended against password hashes (note that it still recommends "cryptographically strong salts") but remains factually incorrect in more than one place, including the notion that PBKDF2 is better than bcrypt (the opposite is true).

[pc86]

Agree that OWASP's crypto advice is generally garbage, but is there a better salt policy than what they have?

    [protected form] = [salt] + protect([protection func], [salt] + [credential]);

[schoen]

I assume tptacek's objection is that salts need to be unique (at most, unpredictable enough to discourage precomputation), and don't need to be produced by a CSPRNG.

Edit: or maybe something else from the editorial history of the document?

[tptacek]

There's that, but more generally and importantly, application developers who take special measures to generate salts tend not to be using secure password hashing algorithms --- the libraries for things like bcrypt tend to handle this for you.

[schoen]

Maybe akin to the "typing the letters A-E-S" in https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...?

[astockwell]

"Just use bcrypt" (or scrypt). Salting is baked in.