Collaborate Disseminate
I’m building a URL-shortening tool. For an arbitrary link, I need to produce a fixed-length slug which will index the full URL in a database. For prettiness reasons, I’d like to keep the slug reasonably short (8 alphanumerical characters s… Continue reading Can I truncate a hash value and keep (the expected amount) of collision resistance? [duplicate]
I am planning to implement my own very simple "hashing" formula to add a layer of auth to an app with multiple users. My current plan is as follows:
User creates an account at which point an ID is generated on the backend. The I… Continue reading Is there any speed benefit to performing your own algorithm to scramble IDs for security purposes? [migrated]
The common advice of benchmarking a password hashing algorithm and choosing the slowest acceptable cost factor doesn’t work for algorithms with more than one parameter: adding a lot of iterations at the expense of memory hardness makes the… Continue reading Since GPUs have gigabytes of memory, does Argon2id need to use gigabytes of memory as well in order to effectively thwart GPU cracking?
I am trying to decrypt a password protected xls file. Currently I was able to extract the hash file. The hash file I have extracted is encrypted with $0/$1, MD5 + RC4, collider #1 hashing algorithm and I thought that Hashcat is the suitabl… Continue reading Hashcat mask attack password length restriction [closed]
Help me with this hash
qLmA2MYp
John the Ripper did not find an answer after working all day.
Continue reading John the Ripper Help me with this hash [closed]
What is blinding with a SHA256() or similar cryptographic hash function?
What applications does it have?
An answer to a recent question briefly mentioned "Consider blinding before calling an external function [such as] SHA256()"…. Continue reading What is "blinding" with cryptographic hash functions?
Whilst I was reverse engineering what calls are performed for Sercomm H300s web panel I found out that the javascript offered for web panel performs an awkward way for username and password authentication:
Firstly a challenge is received … Continue reading Why Serrcom’s H300s authentication mechanism for the router’s web panel hashes the password at client side instead of sending it as is?
I’m trying to follow the OWASP ‘Forgot Password Cheat Sheet’ recommendations for password reset functionality via email. This requires my server to generate a token. OWASP says that PHP’s random_bytes() and openssl_random_pseudo_bytes() fu… Continue reading How many bytes for password reset token? Should one take steps to hash or conceal raw CSPRNG bytes?
I don’t like my server having access to plaintext passwords. Instead of SRP, OPAQUE or another PAKE that needs several rounds, I was thinking I could take the username, server url and password, run a hardened hash like scrypt and generate … Continue reading Replace hashed password by public key generated from password
Is it possible to programmatically generate different hash functions? Of course, it is. We can simply tweak the numerical parameters of the hash function. But is there a known way to generate secure hash functions programmatically? I got a… Continue reading Is there a way to programatically generate new hash functions that are secure?