Hello, 2015-06-09 16:16 GMT+02:00 Josh Smeaton <josh.smea...@gmail.com>:
> You're referring to a "pepper" - a site wide secret that's supposed to be > used, in some way, to further encrypt passwords. As far as I'm aware there > are no algorithms available that take a pepper into consideration. > I'm also wary of implementing a mechanism that isn't considered a best practice in the industry. Pepper doesn't achieve anything that you couldn't do by changing the number of rounds (or perhaps the salt length, but I'm not sure that makes sense). Any additional code adds potential for implementation mistakes that could introduce security issues. As a consequence, I think there are more risks than benefits to this proposal as it stands. I would change my mind if pepper countered a common class of attacks, like salt countered rainbow tables. -- Aymeric. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANE-7mWkSMxN_9xqGXchC8O-onxJZ36AxuSRbsDXF%3DxThUrs3Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
