-
-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.4.2 Salt size recommendation #994
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
Comments
There is no need to salt modern password storage algorithms (they do it for you).
Please see the following for very updated advice:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
|
See also #1002. |
elarlang
added
the
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
label
Jul 20, 2021
Salts have been removed from 2.4 making this issue moot. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In 2.4.2, it is mentioned to have a salt of 32 bits, which is barely 4 bytes.
I believe this should be raised to 128 bits, to ensure that it is random enough across the DB and across other used DBs.
The best thing would be to match the hash length and go beyond it, but that might be too much.
The text was updated successfully, but these errors were encountered: