Re: Using `SECRET_KEY` in password hashers

For those who need something like this, I created a python package "django-peppered-passwords". https://github.com/fatih-erikli/django-peppered-passwords On Mon, Jun 19, 2023 at 8:54 PM Fatih Erikli wrote: > I recently created a ticket about it > https://code.djangoproject.com/ticket/34661 > >

Re: Using `SECRET_KEY` in password hashers

I recently created a ticket about it https://code.djangoproject.com/ticket/34661 It has been marked duplicate of https://code.djangoproject.com/ticket/30561 There is a document of NIST added on the original ticket. I think if there is going to be any compliance investigation about a Django

Re: Using `SECRET_KEY` in password hashers

Hello, 2015-06-09 16:16 GMT+02:00 Josh Smeaton : > You're referring to a "pepper" - a site wide secret that's supposed to be > used, in some way, to further encrypt passwords. As far as I'm aware there > are no algorithms available that take a pepper into consideration. >

Re: Using `SECRET_KEY` in password hashers

You're referring to a "pepper" - a site wide secret that's supposed to be used, in some way, to further encrypt passwords. As far as I'm aware there are no algorithms available that take a pepper into consideration. Further, I don't see the need for the inclusion of a pepper if the password

Re: Using `SECRET_KEY` in password hashers

FWIW the idea is relatively old and I think mozilla has a 3rd party app which just adds that functionality to the hashers. As far as I remember it even allows having multiple secrets and as such migrate to a new key. On Tuesday, June 9, 2015 at 7:16:02 AM UTC+2, Ram Rachum wrote: > > Hi, > >

Re: Using `SECRET_KEY` in password hashers

On Tue, Jun 9, 2015 at 9:56 AM, Curtis Maloney wrote: > So, the benefit of your case is it's one more step for an attacker if they > want to brute-force your password database -- that they _also_ need to > steal your PASSWORD_SECRET. > > The downside is, in the very

Re: Using `SECRET_KEY` in password hashers

So, the benefit of your case is it's one more step for an attacker if they want to brute-force your password database -- that they _also_ need to steal your PASSWORD_SECRET. The downside is, in the very case where they _do_ steal it, you must immediately invalidate every password by changing your

Re: Using `SECRET_KEY` in password hashers

If the leak happened because someone got into your code repo, you're right. (I can't rule out a scenario where someone got your SECRET_KEY with some other method, like analyzing data that was generated with the secret key.) But even if there's a leak, then you're in a situation not worse than

Re: Using `SECRET_KEY` in password hashers

On Tuesday 09 June 2015 08:23:03 Ram Rachum wrote: > On Tue, Jun 9, 2015 at 8:22 AM, Curtis Maloney > wrote: > > On 9 June 2015 at 15:16, Ram Rachum wrote: > >> > >> What do you think about using the project's `SECRET_KEY` as an > >> additional

Re: Using `SECRET_KEY` in password hashers

Okay, so how about if we use a separate secret? On Tue, Jun 9, 2015 at 8:22 AM, Curtis Maloney wrote: > I think it'd royally screw you over if you ever had to change your secret > key [due to suspected leak, for example] as now all your passwords are > invalid. > >

Re: Using `SECRET_KEY` in password hashers

I think it'd royally screw you over if you ever had to change your secret key [due to suspected leak, for example] as now all your passwords are invalid. -- Curtis On 9 June 2015 at 15:16, Ram Rachum wrote: > Hi, > > What do you think about using the project's

Using `SECRET_KEY` in password hashers

Hi, What do you think about using the project's `SECRET_KEY` as an additional salt in Django's password hashers? The advantage would be that they'll be harder to crack, as an attacker would need access both to the database table and the code for the secret key. The disadvantage I can think of