4 upvotes, 2 direct replies (showing 2)
View submission: How to keep your Reddit account safe
Do you also pepper them for even more flavor?
Comment by DontRememberOldPass at 06/05/2019 at 19:32 UTC
6 upvotes, 1 direct replies
Peppering is also a thing (usually combined with salting). The hashes are encrypted using a key pair that is not accessible to the login service. So it has to fetch the encrypted hash from the database, hand it off to a service asking for it to be decrypted, then compare the unencrypted hash. The decryption service is generally locked down to a small handful of engineers that don’t have access to the other parts of the system, and implements rate limiting.
The end result is that if the hashes are stolen, they cannot be cracked offline without also stealing the encryption keys stored separately.
Comment by VastAdvice at 07/05/2019 at 01:04 UTC
1 upvotes, 0 direct replies
No but they do push it real good.