logoalt Hacker News

cluckindanyesterday at 9:27 PM1 replyview on HN

Or just salt the string with the username before hashing.


Replies

tybityesterday at 9:40 PM

That’s what they do, but the TPM pepper is also needed for HMACing in their threat model. Otherwise the attacker just adds the victim’s user id to their hashing process too.