You could also use a "pepper" in addition to the salt, in order to add an additional layer of protection.
The purpose of the pepper is to prevent an attacker from being able to crack any of the hashes if they only have access to the hash database.
You can hash your password as usual, and then encrypt the hashes using a symmetric key algorithm with the pepper playing the role of the encryption key, without affecting or interacting with the hash or the password itself in any way.
This will provide an additional layer of protection if the password database gets dumped, but also keep the passwords valid if the pepper is considered compromised.
Note that the pepper should not be stored in the database!
Indeed, using a pepper is also a good idea. This does add a bit of extra work, so it may depend on the actual use-case of the app if it is worth it. Then again, hardware is quite cheap nowadays. Thanks for pointing it out.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Nice write up!
You could also use a "pepper" in addition to the salt, in order to add an additional layer of protection.
The purpose of the pepper is to prevent an attacker from being able to crack any of the hashes if they only have access to the hash database.
You can hash your password as usual, and then encrypt the hashes using a symmetric key algorithm with the pepper playing the role of the encryption key, without affecting or interacting with the hash or the password itself in any way.
This will provide an additional layer of protection if the password database gets dumped, but also keep the passwords valid if the pepper is considered compromised.
Note that the pepper should not be stored in the database!
Indeed, using a pepper is also a good idea. This does add a bit of extra work, so it may depend on the actual use-case of the app if it is worth it. Then again, hardware is quite cheap nowadays. Thanks for pointing it out.