

Password Salting isn't just for Servers - wpeterson
http://blog.winfieldpeterson.com/2012/06/07/password-salting-isnt-just-for-servers/

======
jgeorge
So the suggested trick of adding a site-specific token to a common secure
password strikes me as kind of pointless. Admittedly, I did this myself for a
short time until it struck me that it was no more secure than a common
password in the first place.

Ignoring for the moment the slightly-longer-than-average cracking time for a
longer password, once your password of "linkedinTink3rb3ll" is compromised,
how hard is it for someone to assume your Twitter password is
"twitterTink3rb3ll"?

Am I missing something and is this token+password trick useful in a way I'm
not familiar with?

Not to criticize Winfield specifically for suggesting this - as I said, I
thought this was a good idea a while ago myself until I couldn't continue to
justify it as a good idea. It does add a longer password for relatively no
additional mental cost to retain it, and it does result in different hashes so
it's not obvious it's being done.

I ask primarily in case I'm missing something obviously useful about this
tactic instead of having to use passwords that look like my cat slept on my
keyboard.

~~~
joshstrange
No @jgeorge you are completely correct, I was just coming here to raise the
same point. This is NOT password salting, it's appending a string to the start
of each password based on the site. But it's not just any string, no, the
author of this blog post wants you to put the NAME of the site the password is
for. It will take someone a whole 5 seconds to guess that if for your FB
password you used facebookFsdh52f then your google password _might_ just be...
wait for it.... googleFsdh52f.

Now if you were "salting" (Still not sure that's what I would call it) your
passwords for each site you used with a RANDOM string then yes it would
provide extra security, however at that point why aren't you just randomly
generating the whole thing.

The author clearly doen't know what he is talking about and is using buzzwords
to drive pageviews. He is an idiot.

