The problem is that pacofvf's answer assumes you don't need to do this retroacti... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		richardlblair on March 27, 2015 \| parent \| context \| favorite \| on: Slack was hacked The problem is that pacofvf's answer assumes you don't need to do this retroactively. This would work if you were building a new system today, but if you had a DB full of one way hashes you're not going to be able to retroactively modify the pepper.

richardlblair on March 27, 2015 [–]

And more importantly, slack straight up stated they salt the password and use bcrypt. It's all one way hashes, no encrypting/decrypting going on.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact