Consider the following two methods:
hashedPassword = hash(trulyRandomSalt + password)
Where hashedPassword and trueRandomSalt are stored in the database.
hashedPassword = hash(applicationConstantPepper + uniqueUserName + password)
Where hashedPassword and uniqueUserName are stored in the database, and applicationConstantPepper is stored in the application configuration. Here, uniqueUserName acts like a salt, which is usually email addresses.
I read this question , which contains a lot of great information, but does not apply to the constant value of the application pepper and how it will improve using usernames as salt.
I always used method one with a 32-bit cryptographically random salt. However, I just saw method two used in another application. The first problem I have with method two is that it associates the username with the hash, so the username can never change without restoring the hash.
What are the security issues with method two? Which method is best to use?
source
share