The core problem is that using a decent password hashing algorithm with non-secret per-service per-user salts gives you really, really good security with respect to salts.
Adding secret keys (salts, whatever) to your security assumptions is the kind of thing that gives cryptographers an allergic reaction—and I think you’re seriously underestimating the difficulty of implementing the system too, for very little gain. Better to spend your time protecting users from social engineering attacks, or insider compromise, or any of the myriad other attacks which are far more likely to defeat the sensible conventional approach.
I agree that salts already give very good security on their own (even if I personally like the idea of adding peppers), and it’s entirely possible that I’m underestimating the difficulty of implementing it. I also agree that using secrecy assumptions is bad (that’s my problem with the first method, which is fully based on secrecy and becomes useless if the secret is revealed).
My main curiosity here is how does my method compare to the usual ones. Since, if we take the secrecy example, mine doesn’t depend on secrecy (unlike #1, like #2) but still benefits from it (like #1, unlike #2).
The core problem is that using a decent password hashing algorithm with non-secret per-service per-user salts gives you really, really good security with respect to salts.
Adding secret keys (salts, whatever) to your security assumptions is the kind of thing that gives cryptographers an allergic reaction—and I think you’re seriously underestimating the difficulty of implementing the system too, for very little gain. Better to spend your time protecting users from social engineering attacks, or insider compromise, or any of the myriad other attacks which are far more likely to defeat the sensible conventional approach.
I agree that salts already give very good security on their own (even if I personally like the idea of adding peppers), and it’s entirely possible that I’m underestimating the difficulty of implementing it. I also agree that using secrecy assumptions is bad (that’s my problem with the first method, which is fully based on secrecy and becomes useless if the secret is revealed).
My main curiosity here is how does my method compare to the usual ones. Since, if we take the secrecy example, mine doesn’t depend on secrecy (unlike #1, like #2) but still benefits from it (like #1, unlike #2).