Hacker News new | comments | show | ask | jobs | submit login
Password Salting isn't just for Servers (winfieldpeterson.com)
1 point by wpeterson 1647 days ago | hide | past | web | 2 comments | favorite

So the suggested trick of adding a site-specific token to a common secure password strikes me as kind of pointless. Admittedly, I did this myself for a short time until it struck me that it was no more secure than a common password in the first place.

Ignoring for the moment the slightly-longer-than-average cracking time for a longer password, once your password of "linkedinTink3rb3ll" is compromised, how hard is it for someone to assume your Twitter password is "twitterTink3rb3ll"?

Am I missing something and is this token+password trick useful in a way I'm not familiar with?

Not to criticize Winfield specifically for suggesting this - as I said, I thought this was a good idea a while ago myself until I couldn't continue to justify it as a good idea. It does add a longer password for relatively no additional mental cost to retain it, and it does result in different hashes so it's not obvious it's being done.

I ask primarily in case I'm missing something obviously useful about this tactic instead of having to use passwords that look like my cat slept on my keyboard.

No @jgeorge you are completely correct, I was just coming here to raise the same point. This is NOT password salting, it's appending a string to the start of each password based on the site. But it's not just any string, no, the author of this blog post wants you to put the NAME of the site the password is for. It will take someone a whole 5 seconds to guess that if for your FB password you used facebookFsdh52f then your google password might just be... wait for it.... googleFsdh52f.

Now if you were "salting" (Still not sure that's what I would call it) your passwords for each site you used with a RANDOM string then yes it would provide extra security, however at that point why aren't you just randomly generating the whole thing.

The author clearly doen't know what he is talking about and is using buzzwords to drive pageviews. He is an idiot.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact