
Tide Protocol – “Splintering” passwords for greater security - kmote00
https://www.computerweekly.com/news/252470197/Tide-Foundation-aims-to-boost-password-security
======
linsomniac
Similar gains might be realized by proper use of "pepper", something I hadn't
hear of until a month ago. TL;DR: You add another secret, never stored in the
database, string to the password before hashing. The benefit is that a
database dump does not contain the information needed to crack the passwords.

Example: bcrypt.hashpw(hashlib.sha512(password + pepper).digest(),
bcrypt.gensalt(10))

[https://en.wikipedia.org/wiki/Pepper_(cryptography)](https://en.wikipedia.org/wiki/Pepper_\(cryptography\))

Alternately, Dropbox uses AES256 using the pepper as the key as the last step.
The benefit there is that you can easily change the pepper if it has been
compromised.

[https://blogs.dropbox.com/tech/2016/09/how-dropbox-
securely-...](https://blogs.dropbox.com/tech/2016/09/how-dropbox-securely-
stores-your-passwords/)

------
kmote00
tldr; The Tide Foundation, a non-profit organisation, has developed a
mechanism that it says makes passwords exponentially more difficult to crack.

