I've already seen one person in this thread taking "S+P" literally, and suggesti... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		mbrubeck on March 27, 2015 \| parent \| context \| favorite \| on: Slack was hacked I've already seen one person in this thread taking "S+P" literally, and suggesting `bcrypt(cost, salt + pepper, password)`, which has a very obvious and critical problem. Other "peppering" schemes in the comments here also have significant weaknesses. So yes, even a simple idea like this is easy to botch in implementation -- even if the implementation is just a one-line change!

ufo on March 28, 2015 [–]

What is the problem? Does bcrypt truncate "salt+pepper"?

iopq on March 28, 2015 | [–]

Because the salt is in the hash!

$2a$12$GhvMmNVjRW29ulnudl.LbuAnUtN/LRfe1JsBm1Xu6LE3059z5Tr8m

$2a means it's using bcrypt version 2a

$12 means 12 rounds

GhvMmNVjRW29ulnudl.Lbu is the salt

AnUtN/LRfe1JsBm1Xu6LE3059z5Tr8m is the checksum

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact