A password only 8 chars long can still be brute forced, salt or not.

Without salt, the attacker would make a guess, run the hash on the password, and compare it to the stored version.

With salt, the attacker would make a guess, combine it with the salt, and then run the hash and compare like before.

What salt does is prevent a shortcut. The attacker has a big list of passwords and their associated hash values. They grab the hash out of the leaked database, compare it to the list, and match it to the original plaintext. When the hashes have a salt, they would need to generate the list for every possible salt value. For a sufficiently long salt that’s unique to each password entry, that list would be infeasible to generate, and infeasible to store even if you could.

If your passwords were long and random enough, then it’s also infeasible to generate that list to cover everything. It really only works against dictionary words and variations (like “P4ssw0rD”).

Bcrypt and scrypt both have a byte limit of 72. That’s still enough for a secure passphrase, though some schemes might blow past it.

It’s usually part of the string stored to the DB.

Edit: you can see the PHC spec here:

https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md

Which is a common format for various password storage algorithms, including Argon2. It has a salt field.

That’s not how salt works. It will be stolen alongside the password hash, because salt is necessarily in plaintext. It doesn’t increase the guessability of passwords. It just makes it infeasible to precompute your guesses.

Those are salted, they just do it for you.

Not how it works.

First of all, there’s far too many companies out there still storing passwords in plaintext.

Second of all, even with a good hash algorithm, hacking a specific person’s password out of a leaked database is still feasible when your passwords are variants of a few dictionary words with a few numbers and symbols attached.

Creating fully randomized, unique passwords in a password manager really is the best way. Even an older hash method of storage on the web site’s part will likely protect it.

It’s even broader. An EU citizen living anywhere accessing any site they happen to live can report that site. It may be that the EU won’t be able to collect the fine–assuming the owners never travel to the EU–but they can be fined.

It’s more than that. The EU law lets any EU citizen report a company that’s not in compliance. That includes companies not strictly in the EU. It’s why even US companies tend to be in compliance (or something like compliance).

Someday, Windows might be as good at gaming as Linux.

It works for some games more than others. I never liked playing shooters with console controllers. Conversely, games like Vampire Survivors are prefect for that type of controller.

Which may be correct, but given that they mangled the argument in that section, we can’t exactly trust the rest.

Also, it’s not just which country they are in right now. It’s what country they are a citizen of. It’s impossible to know that for a random visitor, so the default is to show it to everyone.

Apparently, the scammers are really good at helping people setup bitcoin. Yes, really.