The stack exchange article seems to ascribe the risk to using MD5. While adding a (global or appended data) hash as you suggest cannot hurt, I wonder if the suggested weakness exist for sha-512.
Firefox is great on desktop, been my primary browser for 15+ years.
Sadly though, the mobile version (still) lacks support for "pull to refresh" gesture. Other than that, mobile FF is great (privacy features, browser addons...).
Some of this is good advice, but there's a BIG point on the 'Password Storage Cheatsheet' that's linked and referenced by the above article, that I don't think is solid.
I read they recommend to use the both (adaptive hashing and "local parameterization"). As even if you utilize separate device (HSM for example) for encrypting the passwords (I'd encrypt instead HMAC), you should indeed not give up on adaptive hashing.
"I read they recommend to use the both (adaptive hashing and "local parameterization")."
I read their text as recommending A or B, based on the intro where they state "Two approaches facilitate this, each imperfectly."
"As even if you utilize separate device (HSM for example) for encrypting the passwords (I'd encrypt instead HMAC), you should indeed not give up on adaptive hashing."
Right, this is the sort of thing that led me to hedge by saying I MIGHT be convinced if an HMAC were involved; it still gives me pause, for sure.
At least, testing passwords against multiple hashes (at the price of one) is impossible. And it is not possible to see if different entries shares a same password (or to see if they have a different password). Also, it (probably unintentionally) mitigates timing attacks when comparing if the entered password matches.
>testing passwords against multiple hashes (at the price of one) is impossible
That's defending against a newly generated rainbow table.
> And it is not possible to see if different entries shares a same password (or to see if they have a different password).
That's repeating the first point with different words! It's defending against a pre-generated table. i.e. a rainbow table.
Timing attacks are not mitigated by salts; they're mitigated by the design of the encryption. You should not rely on salts for this. In fact, if your hash is exposed you should assume your salt is also exposed.
What do salts guard against other than rainbow tables?
> That's defending against a newly generated rainbow table.
You lost me here. Anyway, the attacker does not need a rainbow table at all to attack against multiple hashes at the price of one.
> That's repeating the first point with different words! It's defending against a pre-generated table. i.e. a rainbow table.
Again, no rainbow tables at all are needed to see if different entries shares a password or not.
About timing attacks, see my earlier comment in this comment chain.
> You should not rely on salts for this. In fact, if your hash is exposed you should assume your salt is also exposed.
I see and agree with your point about "relying on salts", but salts just happens to (as a side-effect probably) mitigate the attack. Remember, your salts are not exposed "as-is" if the attacker manages to fetch the password hash using timing.
> I don't understand how salts could help against timing attacks, though.
The salt which is unknown/unpredictable (and contains enough entropy) to the attacker makes his offline attack against the hash unfeasible (after he has managed to fetch the password hash from the server using timing leaks). I'm not sure if it is possible to fetch the (whole) hash using timing, because it is not a direct comparison. But anyway, if the attacker managed to do that, now because of "a proper salt" he would have to crack a hash that was composed of, say, 128 bits of salt and 20 bits of the actual password. It is unfeasible because of that 128 bits of salt alone.
> bcrypt(base64(sha-512(password)))
Pre-hashing the password, in this context, without a salt, is susceptible to hash shucking: https://security.stackexchange.com/questions/234794/is-bcryp...
Instead, use: