[chipsa]

I saw this post a while ago in a different forum. My note for it hasn't changed: This is called peppering[0]. It's a counterpart to salting, in that you add a random value to a password to make it harder to reverse the password hash, but unlike the salt, it's not stored in the password database.

0: https://en.wikipedia.org/wiki/Pepper_(cryptography)

[e12e]

This is very different from peppering. Salt/pepper is all about server storage/verification. The "path" is plain, hash, salted hash, peppered hash.

Plain:server stores the password, client sends the password - matching is simple. When server is breached, all passwords are known.

Hash:server stores a hash of the password, the type of hash. Client sends the plain password, server hashes and compares. When server is breached, most passwords are known, by way of rainbowtables/brute force.

Salted hash: same as hash, servers additionally stores random salt pr account. Hash is over plain password and hash. When server is compromised, weak/dictionary passwords are compromised via brute force.

Pepered passwords: an additional secret is used for salting. The stored hash now depends on plaintext password, plain salt, "secret" pepper. When server is compromised, most likely pepper is compromised too. If not (eg: only database/backups are exposed), pepper needs to be recovered before brute force of passwords is viable. If the attacker has an account (know a password) it's straightforward to attempt to brute force the pepper, but unless it's weak (eg not a 128 bit random number) - it should not be feasible.

Finally, horcruxing - has nothing to do with server side. Has nothing to do with hashing. Is a simple suffix appended to any given password stored in a password manager, in a INMHO misguided attempt at improved security.

Server sees full password on account creation and login. Seems to suggested to share "horcqrux" cross accounts.

An attacker compromising the passwords stored in the password manager, only gets ~half the password. Need to get the other half via brute force, through compromising another account sharing the same suffix/horcrux, via keyboard logger etc.

A physical compromise of a device with a password manager seem to likely open up for a lot of these attacks.

Note that bitwarden uses 2fa to authenticate a client - but AFAIK if you have a copy of the data/vault - the passphrase is sufficient to get the decryption key.

Horcruxing defends against some odd threats, and otherwise adds more complexity than security IMNHO.

[vmarquet]

I think the term "peppering" is mostly used for server side manipulation of the password, which the user is unaware of.

It would be very confusing to reuse this term for what is described in this article, so a new term like "Horcruxing" can be relevant. I like it.

[inopinatus]

I fear it may be unfair to expect most end-users to apply this scheme appropriately and consistently, and therefore recommend that it be known as mustard.

[kortex]

I was thinking currying, as it is both spice-themed and analogous to function currying in that you take your base password, curry it with the secret to get the submitted password.

[chairmanwow1]

I think I really disagree with you there. This is the same concept but applied client-side instead of server-side.

But “client-side peppering” won’t get you to the front page of HN..

[molszanski]

I would click “client-side peppering” over horxsomething, didn't read Harry Potter

[phantom_rehan]

Horcruxes are similar to what emmanueloga_ has mentioned. Horcruxes were special things in which Harry Potter's lead antagonist, Voldemort stored parts of his 'soul', so that even if he died, someone cpuld revive him using the horcruxes. I haven't kept up with Harry Potter for a year now, so I might be wrong with respect to the exact definition.

[cduzz]

A horcrux is a plot device where the protagonists need 2fa to send a HUP or TERM to the misbehaving process.

[webmaven]

> A horcrux is a plot device where the protagonists need 2fa to send a HUP or TERM to the misbehaving process.

Okay, I didn't literally LOL, but you did earn a really big grin and even a chortle. Well done.

BTW, I would totally read "Harry Potter and the Protocols of Security". Some of the "Methods of Rationality" fan fiction by Eliezer Yudkowsky nods in that direction (eg. the Death Eaters' opsec).

[tgb]

I think these concepts are significantly different - as different as salts and peppers at least. Peppering helps protect against database access revealing password. Horcrux protects against password manager access. Peppering is stored on the server, but outside the database. Horcruxes are stored in the user's head. You could do both, one, or neither. Client-side peppering would be having part of your password outside of the password manager but still on your computer. If anything it's brain-side peppering.

[kbenson]

> Peppering helps protect against database access revealing password. Horcrux protects against password manager access.

What is a password manager but a database of your passwords? Peppering is a token that is not in the database of passwords that needs to be applied for the password to be correct. Whether it's applied by an application, or a person doesn't seem relevant, as what is an application but a set of instructions a person could do carried out automatically?

I don't care what it's called, but I don't really see a difference in the scenarios you've outlined.

[e12e]

> Peppering is a token that is not in the database of passwords that needs to be applied for the password to be correct.

Well, typically a server only cares about verifying the user (still) knows a password.

A typical server (today) does not have a way to reconstruct the plain password, only a way to check if any given string matches.

A password manager, typically does have a way to supply the password.

Peppers and salts are typically manipulated by the server system, plain passwords are typically managed by the password manager.

In this case the password manager never sees the hocrux, and cannot leak it. A server will typically leak a pepper to anyone with access to ram (or access to a hw enclave, which is expected to be more difficult).

[tgb]

Frankly this has more in common with a 2FA approach with one factor being the password manager and the other your horcrux. I wouldn't call my phone authenticator app a client-side pepper.

[kkirsche]

Agreed. A common reason for shared terminology in computing is to encourage re-use of techniques, this is a great example of that