It's important to note in this "Facebook plain-text password" story that the passwords are being stored with salted scrypt hashes, that's not the issue. Instead, the issue is inadvertent logging of web requests -- which happen to contain clear-text passwords.
Same issue. No salt -> vulnerable to targeted attacks. Stretching server-side -> DoS vector.
-
-
I have not often seen the static server secret in practice (aka 'salt & pepper'); I would LOVE to see a case study of the efficacy of this practice. Common method today seems to be serverside stretching only, with rate-limiting to solve DoS -- albeit with plaintext passwords

-
i get it though: at the cost of an extra round trip and some added complexity, we can 1) mix in a static secret; 2) avoid key stretching serverside; and 3) avoid unnecessary pk retransmission. Pretty neat!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.