#geek #nerd #SecurityThoughts by Alice Wonder
A nonce is a number that is used only once. If you learned what a nonce is from context in WordPress code, forget it, they misuse the word.
Some nonces only need to be used once and it is okay if they are predictable. AEAD cipher nonces. In those cases, I seed with a 12-byte random number and just increment each use.
Some nonces need to be unpredictable and kept secret. I use 128-bit for those.
#geek #nerd #SecurityThoughts by Alice Wonder
When it comes to salts - if the same salt is to be used multiple times, the salt needs to be at least a 256-bit salt. I just use a base64 encoding of a 256-bit random number (44 characters including the = passing at end). There's nothing to be gained from special characters like }]# etc. - the entropy is what matters. Just generate a random 256-bit number and base64 (or hex) encode it.
