Hacker News new | past | comments | ask | show | jobs | submit login

Yeah, idiot web programmers that don't encrypt PWs and use salting.

Use a PW manager. If you really don't want to use one, don't use the same PW. At least at your own salt.

eg. HN@thepwialwaysuse4

HN would be the "salt" for Hackernews.




But if that salted pw gets exposed, can a hacker just guess your pws for other sites?

E.g. myBank@thepwialwaysuse


Yes, but you're not important enough for someone to try your password on other sites by hand, and bots are hopefully not smart enough to do this automatically.

You should still use a password manager. Or at least a paper notebook.


Do bots need to do this automatically? What if a programmer gets that database and does a quick search for those naive salts? Then he can do some pattern matching and try the same pattern in some sites like PayPal, Apple, Gmail, etc. Generalize it a bit and you can even create a tool to do this for you for every new database leaked.


> Then he can do some pattern matching and try the same pattern in some sites like PayPal, Apple, Gmail, etc. Generalize it a bit and you can even create a tool to do this for you for every new database leaked.

It's the bikelock principle. A bikelock is rarely going to be strong enough to secure your bike. It doesn't have to. It just needs to be secure enough that the thief will nick the next bike. Putting pnt12:HackerNews53cureP4ssw0rd and pnt12@gmail.com:HackerNews53cureP4ssw0rd into every service is going to be profitable enough that they don't necessarily have to try the next step.

But in general you're right: don't use these. Reused passwords aren't secure. Use keys generated by so-called password managers.


He would have to break the cryptographic algo to see the salt. Good luck with that. Sure that is possible for the NSA with weak encryption. But most hackers wont be able to do this. The salt does not give a slightly different hash but a totally different hash. Also, using salt (your own or server based) should protect you from some kind of rainbow table attacks.

But just use a PW manager (e.g. enpass.io ) I am very happy with it but I don't use the autofill plug-ins. You can never be paranoid enough.


I think the OP is talking about salts that get concatenated as a prefix or suffix, not the salting that happens in oneway hash functions. Remember the topic here is related to getting your pw's exposed and how to easily create different pw's to deal with that scenario.


Both. The salting SHOULD happen in one way Hash functions. But sometimes it does not. Using your own prefix when always using the same password is the second worst solution but at least better than nothing. Poor mans salting :-)

Use a PW manager.


I use a PW manager like its a religion. But having all my eggs in one basket gets me so nervous. I like the poor man's salting solution, and used it a lot before i got a PW manager. I just like to use a scheme where if you see my PW you cannot make out what the pw will be for some other site. For example if the site is hackernews.com, the pw might be "ag" + myusualpassword. Where "ag" is the first two letters of the base64 string of the URL... in this case "hackernews.com". That was just an example... I will not divulge what I actually used to generate my poor man's salt.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: