Skip to main content
Cryptography

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

3
  • $\begingroup$ Please make it explicit that the attack you’re contemplating is: we have two independent websites adhering to similar salt policies; user sets same cleartext password on both sites; attacker obtains the Site A hashes with salts; attacker obtains a Site B credential and spends cycles on rainbow attack against A. (Or nail down some alternate scenario that you want to protect against.) $\endgroup$ Commented Jul 11, 2023 at 2:50
  • $\begingroup$ @J_H but that is not the attack I'm contemplating. Also, the pepper (e.g, 128-bits or 256-bits) automatically makes all the salts on my website globally-unique anyway, but, still, not very "unpredictable" between one another. My question, in turn, is just asking how much of this "unpredictability" is really needed... $\endgroup$ Commented Jul 11, 2023 at 3:25
  • $\begingroup$ For an extreme example, if salts only changed just one bit (in the same place) between password resets for a given user, then merely just two different rainbow tables could possibly crack any (past, present, and future) low-entropy password chosen by that user. But, if one bit of unpredictability between salts is too little, how about 32-bits then? Is that enough, or do you need 64, or even 128-bits? What is a reasonable amount of "dynamic bits" here? $\endgroup$ Commented Jul 11, 2023 at 7:33