Comment Re:Make the salts non-trivial (Score 1) 223
You can't save users who use 'aaaaaa' as a password. No matter what you do. Otherwise,
What about the user who uses 11elephant82 as their password? Are they doomed as well?
you're not going to recover thousands of strong passwords properly salted and hashed. It just isn't going to happen.
It will happen easily. The only thing that isn't *ever* happening is people using strong passwords relative to current and projected cost per transistor.
What are you going to protect with that symmetric key?
The password database? It'd still need to be accessible to the machine holding the database, in order to login.
Yes this is just punting responsibility for keeping a secret. Whether punted to physical keys, operating system keychain, TPM circuits or manual startup inputs all of these things do a better job than tens of thousands to millions of hashes stored in the clear on disk.
Regardless password does not need to be accessible to machine holding the database offering some (small) protection against theft while still being much better than nothing (e.g. hashed passwords with a proven track record of epic fail after epic fail)
Properly salting and hashing is the correct solution. Have you checked your oil lately?
I'm afraid to, daily commute to Langley is taking its toll.