Collaborate Disseminate
Lets assume I am building a pastebin-like web app: users can upload text notes and share them. Users should be able to password-protect notes. Whenever viewing such a note, other users must first provide the correct password to be able to … Continue reading Password checks in backend vs. password encrypted data sent to frontend?
From other password hashing algorithms, I know that when a user tries to log in, and the account does not exist in the first place, it’s best practice to still hash the provided password, so as not to leak information about whether the use… Continue reading argon2id: Do I have to protect against timing attacks on login?
I’m wondering what are the risks of using password hashing algorithms like Argon2 or PBKDF2 in a JavaScript application.
I am wondering this because of the considerations of client-side execution, and the potential for an attacker to explo… Continue reading What are the risks of using password hashing algorithms like Argon2 or PBKDF2 in a JavaScript application [duplicate]
Referencing this document, they give justifications for a number of their recommendations, but not any behind only going with 1 degree of parallelism for using Argon2id. Is there a reason why this is recommended that is unmentioned there?
… Continue reading Why does OWASP recommend only 1 degree of parallelism for Argon2id
So if I got this right from my intense research, the following procedure would be preferrable:
Use the PBKDF2 key derivation function to derive a secret key from the users password on the client side.
Use the derived key, which was generat… Continue reading Algorithms when using client side hashing plus server side hashing
I am trying to use a user password in my application to both generate a password hash (for authentication) and to derive a secret key to encrypt user data.
Using argon2 is an expensive operation so i only want to call it only once when the… Continue reading Mixing argon2/HKDF to generate both password hash and encryption key?
Given the following argon2 hash
$argon2id$v=19$m=65536,t=32,p=8$mJmKA5qamzXOPJZYw4wCEUKY$COkMH0RckaZ/3bhYCdCQjLuzoLKxcAmk4TzmHRRgTQ8
How should the hash be stored in a database? From the answers of this question it says you shouldn’t store… Continue reading How should an argon2 hash be stored? [duplicate]
While Argon2 seems to be recommended for password hashing, based on this twit Argon2 is worse than bcrypt at runtimes < 1000 ms.
Based on this answer:
You should tweak the parameters to your own use-case and performance
requirements, b… Continue reading Argon2 is worse than bcrypt at runtimes < 1000 ms? [duplicate]
I want to store a password hash in plain sight. If I am using a dictionary to crack an Argon2 hashed password that I am storing in plain sight, how long would it take (assuming my password is reasonably complex)? Further, are there any oth… Continue reading How long would it take to crack hashed password stored in plain sight?
i noticed my django is hashing the passwords asargon2$argon2id$v=19$m=102400,t=2,p=8$salt$hash
according to Argon2 in browser
the encription is $argon2id$v=19$m=102400,t=2,p=8$salt$hash
if i try to match argon2$argon2id$v=19$m=102400,t=2,p… Continue reading Argon2 password hashing in django [migrated]