Given:
$ salt - a pseudo-randomly generated string of sufficient length
$ pepper is a strong enough private key known only to db administrators, where passphrases are stored
Would you see
$ hash = bcrypt (hmac ($ userpassphrase, $ pepper), $ salt)
far superior
$ hash = bcrypt ($ userpassphrase, $ salt)
given the additional burden of managing / storing $ pepper as well as $ salt?
my assumption is that hmac does not meaningfully amplify the resulting $ hash, and the burden of storing $ pepper outweighs any intended benefits ... but I would like to hear informed opinions.
- HMacs . , , hmac, , -, , , , .
, , , , . HMac SHA ($ userpassphrase, $salt), , , , "" .
bcrypt - , . , , . bcrypt "logRounds" ( , ), , . logRounds 15 ( 10), 2 ^ 15 = 32768 , . , .
, . , $hash, - , $pepper , . HMAC .
It makes no sense to use an additional hash for the password extension function, such as bcrypt; it would be easier and better to just repeat it a couple more times.
“pepper” is a commonly used but dubious practice; I personally believe that the attack models under which an attacker obtains your database but does not have access to your private key are far-fetched that protection against them is not worth the complexity of the implementation that arises.