In this report on the recent ParkMobile breach, the article has this comment from the company:
“You are correct that bcrypt hashed and salted passwords were obtained,” Perkins said when asked about the screenshot in the database sales thread. “Note, we do not keep the salt values in our system,” he said.
If they don't "keep the salt values in [their] system", how could they match a user-entered password to match their hashed and salted versions?
http://dlvr.it/Ryml0V
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment