Salting: Is it reasonable to use the user name?

前端 未结 6 2049
礼貌的吻别
礼貌的吻别 2021-02-20 16:53

I am debating using user-names as a means to salt passwords, instead of storing a random string along with the names. My justification is that the purpose of the salt is to prev

6条回答
  •  名媛妹妹
    2021-02-20 17:28

    I know this is an old question but for anyone searching for a solution based on this question.

    If you use a derived salt (as opposed to random salt), the salt source should be strengthened by using a key derivation function like PBKDF2.

    Thus if your username is "theunhandledexception" pass that through PBKDF2 for x iterations to generate a 32 bit (or whatever length salt you need) value.

    Make x pseudo random (as opposed to even numbers like 1,000) and pass in a static site specific salt to the PBKDF2 and you make it highly improbable that your username salt will match any other site's username salt.

提交回复
热议问题