Collaborate Disseminate
I am using bcrypt.js for basic login. I have found that the below code runs noticeably quicker when no user is found, since it exits immediately, and no check is done on the hash. This could give an attacker insight into whether a username… Continue reading Timing Attack using bcrypt.js
While Argon2 seems to be recommended for password hashing, based on this twit Argon2 is worse than bcrypt at runtimes < 1000 ms.
Based on this answer:
You should tweak the parameters to your own use-case and performance
requirements, b… Continue reading Argon2 is worse than bcrypt at runtimes < 1000 ms? [duplicate]
Is it secure to expose a salted bcrypt hash (minimum 14 cost) if the used password is 72 characters (maximum) byte long, randomly generated letters, numbers, and special characters using secure generator?
Is it secure against offline brute… Continue reading Is it secure to expose a salted bcrypt hash IF it is maximum length random secure password?
I am currently learning about cybersecurity and trying to implement it in my next web application.
I have been reading some articles about hashing, specifically SHA2 and Blowfish.
In this article, it is recommended to add a hard-coded salt… Continue reading Is it a good practice to add hard-coded salt to BCrypt passwords?
I want to debug bcrypt rounds with a static salt using this python lib
import bcrypt
salt = bcrypt.gensalt(14)
password = b"foo"
foo_1_round = bcrypt.kdf(password, salt, desired_key_bytes=10, rounds=1)
foo_2_rounds_manually = bcr… Continue reading Debug bcrypt iterations with a static salt [closed]
I am creating a simplified lead and call management system for a friend’s small business.
I would like to know the best practices for hardening password storage and verification using PHP 7.4 and MySQL 7.4.30.
I would like something very s… Continue reading Best practices for storing passwords for PHP and MySQL applications [duplicate]
When a user changes password, I’d like to implement a simple check that prevents them from reusing the same password. If the new password matches the old password, reject with an error.
Sounds easy, but at the same time I’m aware that hash… Continue reading Hash collisions in password history
I want to hash passwords for security, but strong bcrypt by nature eat up a bit of resources of the server. So I was thinking to do the encryption on the client side. This would prevent the password from being known in the case the off cha… Continue reading Is client-side bcrypt sent over tls + server-side sha hmac secure for password storage?
I want to store the passwords of accounts hashed into a database that can be accessed through a python-flask application. When you would login, this python application is supposed to provide you with a token that will be saved in the front… Continue reading How do I properly secure my login using bcrypt in react and a python-flask backend?
Every week seems to bring another set of high-profile data leaks, and this time it’s the turn of a service that should be of concern to many in our community. …read more Continue reading Thingiverse Data Leaked — Check Your Passwords