On Sat, Mar 16, 2013 at 6:37 PM, Thomas Gries <[email protected]> wrote:
> Am 17.03.2013 01:46, schrieb Jeremy Baron: > > On Mar 16, 2013 7:18 PM, "Thomas Gries" <[email protected]> wrote: > > Why not salt-per-user ? > > I'm not sure what you mean. > > > It is much safer to add have different salt per user. > http://crackstation.net/hashing-security.htm > > section The RIGHT Way: How to Hash Properly > ... > The salt needs to be unique per-user per-password. Every time a user > creates an account or changes their password, the password should be hashed > using a new random salt. Never reuse a salt. The salt also needs to be > long, so that there are many possible salts. As a rule of thumb, make your > salt is at least as long as the hash function's output. The salt should be > stored in the user account table alongside the hash. > > We're talking about salt stack, which is a remote execution and configuration management framework. We're not talking about cryptography. - Ryan
_______________________________________________ Labs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/labs-l
