Collaborate Disseminate
Picture a state of the art implementation of a website registration and login system.
I’m interested in analyzing what a defender gains and loses by feeding the user password to a key-stretching KDF function (e.g. argon2).
Let’s start from… Continue reading On the gains and losses of an additional client side stretching of the user password
Picture a state of the art implementation of a website registration and login system.
I’m interested in analyzing what a defender gains and loses by feeding the user password to a key-stretching KDF function (e.g. argon2).
Let’s start from… Continue reading On the gains and losses of an additional client side stretching of the user password
I’m trying to build a generic function to encrypt HMAC values with a single global secret key, but that can be "scoped" or salted by application/uses. For instance, an HMAC for a session token signature should not be the same as … Continue reading Key derivation for HMAC, concatenate vs multiple HMAC passes
If I am using SHA-512 hash values merely as a means to search fields that have been encrypted elsewhere, is it cryptographically secure enough to hash without salt?
For background, I have been given a non-negotiable requirement to encrypt … Continue reading Using hash to search encrypted records
I created an unshadowed file to run through john, it worked fine. I created some additional users and created a new file with those hashes in there. I run john and get
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)… Continue reading john the ripper not not loading hashes
For example, a password hash is: edgjcgo4866864rfhobd38790g764hkp
Does having the hash of the password make it easier for the attacker to crack the password than not having the hash?
If yes, why does having the hash make it easier to crack… Continue reading Does having the hash make it easier to crack the password than not having the hash? [duplicate]
Binance public API supports access to specific operations with RSA key pair. Firstly customer generates an RSA key pair. The customer uses the secret key to hash(SHA256) the query string parameters and puts the hash value in the query stri… Continue reading Using two different random numbers instead of RSA Keys
Let’s say I want to deploy a simple static website (with no backend server) with some protected pages only visible after entering a password.
I could write a hardcoded salted hashed password and encrypt the protected data with it, but the … Continue reading Is any client-sided password just security by obscurity?
Can you help me get 10 Character String?
In order to get the String how it was before the Hashing Process,
you’ll need to brute force it. Now, to make this easier for you all,
I’ll reveal the format, however, we’ve have made it harder for… Continue reading Can you help me get 10 Character String? [closed]
I know that a password is stored as a hash, because then it is not possible to get the password even if you have access to the password database/file/…
But if you have access, couldn’t you just replace the password hash with some hash wh… Continue reading Why is it not possible to override password hashes