Telegram-канал «Koderline 1С»
Группа в Вконтакте «Кодерлайн КОРП»
Rutube
| | Right | |-----------|------------| | Store in browser localStorage | Store in HTTP-only, Secure, SameSite cookies | | Log keys in debug output | Hash keys before storing in database (use bcrypt) | | Hardcode in client-side code | Use secrets manager (AWS Secrets, HashiCorp Vault) |
We have hashing. We have salts. Is the system perfect? Almost. There is one final vulnerability: .
The salt prevents Rainbow Tables, but it does not need to be encrypted. Store it in the clear next to the hash. An attacker with the database has the salt, but they still have to brute-force each password individually.
| Attack Type | Without Salt | With Salt (unique per user) | |-------------|--------------|-----------------------------| | | Instant (lookup) | Useless – would need a table per user | | Precomputed hash | Effective | Completely ineffective | | Brute-force | Same cost for all users | Same cost, but cannot reuse across users |
A salt is random data added to an input (typically a password) before it is passed through a hashing function.
and salts are not alternatives – they are complementary layers:
Telegram-канал «Koderline 1С»
Группа в Вконтакте «Кодерлайн КОРП»
Rutube
Скоро наш менеджер свяжется с Вами для подтверждения информации.
