Consider switching to libsodium for encryption #86
Comments
|
« lol » ? |
|
He hardcoded the salt in the password hash |
|
is that a bad thing? |
The "salt" is what hashes your thing i think but if its bad tho ? idk |
|
Well, consider the following scenario. An attacker compromises a multitude of PCs and obtains a list of password hashes. If the salt was randomized for each hash, then the attacker would need to brute-force each password hash individually. But since the salt is hard-coded, the attacker would be able to compare the passwords to one list of common passwords, lowering the amount of work he would need to do to crack the passwords. |
|
To be more accurate, he would be able to pre-compile a list of hashed passwords with that salt, and then any weak passwords could just be looked up. It's called a rainbow table attack. |
Rolling your own crypto is never good.
The text was updated successfully, but these errors were encountered: