|
|
|
|
|
|
by benhirashima
4629 days ago
|
|
|
thanks for the link. it was a good read. however, i see nothing in there that suggests that using a pepper is necessarily a bad thing. i think the answer from rory mcclune puts it well: "Another add-on I've seen to this is to also add in what was called a pepper value. This was just another random string but was the same for all users and stored with the application code as opposed to in the database. the theory here is that in some circumstances the database may be compromised but the application code is not, and in those cases this could improve the security. It does, however, introduce problems if there are multiple applications using the same password database." |
|
|