> From: John Stoffel [mailto:[email protected]] > > Edward> Let the salt be generated from: (1) the username, (2) a host > Edward> identifier CBCryptHostID, and (3) certified random number > Edward> published by certificate authorities. > > But an attacker has all three values of the salt, right? How do you > mix the salt into the bcrypt() hash of the password? Esp since the > user only gives you back the encrypted value?
The diagram is in the tech video. I could answer the question here anyway, but I'm feeling like, going into that level of detail right now on email is distracting to the actual core message, which is: Any information you care to protect with HTTPS against random people maintaining the routers of the Internet, you probably also care to protect against random developers and sysadmins maintaining the networks and servers at the remote end of the HTTPS connection. _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
