Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is it wrong to think of you as really secure, off site salt provider? At the end of the day you are just providing a really good source secure random bytes that are stored for the user.

What is the security benefit of sending you the actual hash of the password? Why not just the hash of a unique user token?



That's a good way to think of it.

It's important to use the password as part of the entropy so that an attacker has to make a Blind Hashing request for each attempt to crack a password versus being able to make a single request to effectively unblind it.


Actually, I think a better way to describe this is user specific peppers instead of calling it a salt.


The thing sent to their service shouldn't be known by anyone but the user, then it can't be stolen from the website.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: