NIST proposes barring some of the most nonsensical password rules - eviltoast

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • frezik@midwest.social
    link
    fedilink
    English
    arrow-up
    4
    ·
    2 months ago

    Some implementers reuse the same salt for all passwords. It’s not the worst thing ever, but it does make it substantially easier to crack than if everything has its own salt.

    • orclev@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      That’s a pepper not a salt. A constant value added to the password that’s the same for every user is a pepper and prevents rainbow table attacks. A per-user value added is a salt and prevents a number of things, but the big one is being able to overwrite a users password entry with another known users password (perhaps with a SQL injection).