I want to tell users about the security measures I have in place (e.g. sha512, variable-length unique salts, and more) but am worried that in the case of data-breach such information would provide additional ammunition for a hacker.
Obviously on the one hand if I said “We store all your passwords in a separate file at /etc/pleasedontpwnme” you would be helping nothing and compromising your security.
On the other end of the spectrum if you tell the user “Passwords are not sold to third parties.” You have given him virtually no information about your practices.
I want to be as transparent as possible. Indeed, if I open source the code, it will all be transparent. At the same time, I am worried that by describing my defenses I have taken a lot of the hackers work away from him and made his life easier.
I am also thinking of the Enigma machines, and how the fact that it didn’t encode a letter as itself shows that sometimes “security measures” backfire, and if you tell a hacker up front “we do X Y and Z” the hacker could also notice that Z actually compromises security and use that to breach defenses.
Where I am currently leaning is “We do not store your password, rather we store a ‘hash’ that is derived from your password, but cannot be turned back into your password. All hashes are salted.”
It seems pretty safe, except that in worst case, hackers would know not to use a dictionary attack. I would prefer to be as transparent as possible. Users like myself might like to know that the passwords are SHA512 and that they have a unique salt for each password.
How much information about security measures is too much to release to the general public?
This is different from How much security information to publicise?
as mine is concerned with how much information is “safe”, not how much is best from a readers perspective.
It also differs from Correct terminology when describing password security to layman for similar reasons. I am not asking about a specific wording for understandability, rather I am asking for a transparency/security balance.