Remix.run Logo
cluckindan 3 hours ago

Or just salt the string with the username before hashing.

tybit 3 hours ago | parent [-]

That’s what they do, but the TPM pepper is also needed for HMACing in their threat model. Otherwise the attacker just adds the victim’s user id to their hashing process too.