tag:blogger.com,1999:blog-5345776251269389029.post8295743724423916899..comments2023-04-05T07:47:21.450-04:00Comments on Spring Minutes: The right way to hash passwords with Spring SecurityGalapagosFinchhttp://www.blogger.com/profile/17395739571926418138noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-5345776251269389029.post-92010416050001791792013-10-23T07:43:28.672-04:002013-10-23T07:43:28.672-04:00Good point! We actually came to the same conclusi...Good point! We actually came to the same conclusion. I came up with an algorithm that uses salt from the DB combined with salt from another source. This makes it hard for an attacker to brute force the hashed passwords with a rainbow table because the attacker needs both parts. Even better, if the attacker doesn't know about both parts, the salt in the DB will act as a red herring!<br /><br />(I should put up a blog entry for that.)GalapagosFinchhttps://www.blogger.com/profile/17395739571926418138noreply@blogger.comtag:blogger.com,1999:blog-5345776251269389029.post-78919509638668543652013-10-23T00:42:11.045-04:002013-10-23T00:42:11.045-04:00A question, you say that is not good idea to use a...A question, you say that is not good idea to use a random salt because you would need to store it in the user table which is the one you want to protect, but using the user information in this case the ID doesn't have the same problem? it is stored in the user table as well.raspacorphttps://www.blogger.com/profile/12096169136303344288noreply@blogger.com