Salted hashes don't seem to offer any real protection for user passwords by itself. So long as a hacker has a quick way to check if a password is right or wrong, it's trivial to brute force it to view the plain-text passwords.
From what I've gathered, I should be sending my hashed+salted passwords to a (hardened) dedicated server on my network whose sole task is validation (via secret keys). A hacker would have to gain access to both servers before plain-text passwords could be retrieved.
Are there any alternatives to using a dedicated validation server?
Aucun commentaire:
Enregistrer un commentaire