Bits of entropy I understand, how you got "374" and "288" I don't.
>That’s my point. It’s not easy to get this kind of thing right, so just don’t bother with pepper.
What? Your point is that you haven't demonstrated that it's weaker than the weakest link, therefore you win?
Edit: Okay I figured out where you got 288. Still confused by the 374. Anyway you need to make truncations explicit. You didn't pass all of the sha output to bcrypt. You're taking advantage of an implementation API bug.
I'm not asking for evidence that shoving together functions from google without understanding them can go wrong. That's trivially true.
I want an example where combining hash algorithms is inherently wrong. Like using a block cypher twice can pop out your plaintext, but probably not as extreme.
>That’s my point. It’s not easy to get this kind of thing right, so just don’t bother with pepper.
What? Your point is that you haven't demonstrated that it's weaker than the weakest link, therefore you win?
Edit: Okay I figured out where you got 288. Still confused by the 374. Anyway you need to make truncations explicit. You didn't pass all of the sha output to bcrypt. You're taking advantage of an implementation API bug.
I'm not asking for evidence that shoving together functions from google without understanding them can go wrong. That's trivially true.
I want an example where combining hash algorithms is inherently wrong. Like using a block cypher twice can pop out your plaintext, but probably not as extreme.
Edit 2: Oh, 384!