Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
What if an attacker know that I am using this library?
See original GitHub issueAs we know, the hash method is returning a JSON string which contains: hash, salt, keyLength, hashMethod, iterations. Now, without knowing how an app using this library is hashing passwords, the attacker will have no way/will be slowed down when trying(?) to crack the passwords, but what if he/she knows that I am using credential library (and also its version)?
If you don’t mind another question, how would you go about rehashing users passwords with more cycles? https://github.com/ericelliott/credential/issues/23#issuecomment-83959967
Issue Analytics
- State:
- Created 8 years ago
- Comments:9 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Closing all stale issues and PRs. Please update, ensure all tests pass, and reopen if you really want this in.
What you’re referring to is a “pepper”, and yes, it may give you some additional security in the specific scenario where your database is compromised but your application is not. If you want to do this, it is as simple as appending your pepper before handing it to the
hashmethod.There are more in-depth answers here: http://security.stackexchange.com/questions/3272/password-hashing-add-salt-pepper-or-is-salt-enough