| ▲ | cluckindan 3 hours ago | |
Or just salt the string with the username before hashing. | ||
| ▲ | tybit 3 hours ago | parent [-] | |
That’s what they do, but the TPM pepper is also needed for HMACing in their threat model. Otherwise the attacker just adds the victim’s user id to their hashing process too. | ||