7 upvotes, 1 direct replies (showing 1)
View submission: How to keep your Reddit account safe
Peppering is also a thing (usually combined with salting). The hashes are encrypted using a key pair that is not accessible to the login service. So it has to fetch the encrypted hash from the database, hand it off to a service asking for it to be decrypted, then compare the unencrypted hash. The decryption service is generally locked down to a small handful of engineers that don’t have access to the other parts of the system, and implements rate limiting.
The end result is that if the hashes are stolen, they cannot be cracked offline without also stealing the encryption keys stored separately.
Comment by rsprobo at 06/05/2019 at 19:37 UTC
2 upvotes, 0 direct replies
I didn't expect my joke (I knew about salting, but didn't realize peppering was actually a thing) to lead to learning something actually interesting. Thanks for the explanation!