Closed kgal closed 9 years ago
The word unique should not be removed from this requirement. We want each credential to be stored using a unique salt. If you don't do this then if two users have the same password and the salts are the same then the hashes will be identical. We also don't want salts hard coded into applications or randomly generated one time. Both of these are bad ideas. This allows for lookup tables to be created in advance for faster password cracking.
Per Andy S., whether storing credentials or hashes, you need to add some random, whether it is a unique salt or a unique IV. Putting it back in there and allowing for IV and fixing up the wording.
If an application is storing multiple encrypted passwords in one file, such as firefox does, each credential does not get stored with a unique salt. Remove "unique"?