If the attacker has one known password in the database, finding the pepper has t... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bnr on July 12, 2012 \| parent \| context \| favorite \| on: What PHP 5.5 might look like If the attacker has one known password in the database, finding the pepper has the same difficulty as finding one password in a DB without pepper.

masklinn on July 12, 2012 [–]

That is not entirely true: the pepper is usually randomly generated, so a "smart" brute-forcing tool (using combinations and substitutions on a base corpus) will have a much harder time matching something.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact