For passwords, yes, this is generally best practice. Also, the salt is normally ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

darkr on Feb 1, 2019 | parent | context | favorite | on: CCPA Will Hit Dev Teams Harder Than GDPR

For passwords, yes, this is generally best practice. Also, the salt is normally stored with the hashed password, as it’s not regarded as a secret.

Modern GPUs can manage several thousand million SHA256 hashes/sec, so even with a salt per hash it’s not going to take long to get a given entry, given the 32bit address space of IPv4

jacobkg on Feb 1, 2019 [–]

You can use bcrypt or argon2 to make it much slower than that.

j16sdiz on Feb 1, 2019 | [–]

but why?

If I am got a DoS attack or Spam, I need the IP to find out to whom I should file abuse complain.

Do we need to sanitize SMTP header too? How about shuting down DNSBL?

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact