Collaborate Disseminate
One problem with passwords is that if they can be broken as follows:
pick a random password
hash it
compare that hash to other known hashes
This way, you have broken the password. Then if you can access the hash of a password, you can re… Continue reading Why don’t companies just tie the password to the user name?
I am learning TLS handshake and find client/serve will negotiate a cihpersuite during client/server hello.
Usually, the last part of a ciphersuite is a hash algorithm, like SHA256 in ECDHE-ECDSA-AES128-SHA256. The second part of a ciphersu… Continue reading What is the relation between "signature_algorithms" handshake extension and TLS ciphersuite
I noticed that certain software does not provide hash anymore nowadays.
E.g.
Zoom
https://zoom.us/download
wolf@linux:~$ ls -lh zoom_amd64.deb
-rw-rw-r– 1 wolf wolf 44M Jan 1 00:00 zoom_amd64.deb
wolf@linux:~$
I’ve googled both md5… Continue reading How to verify integrity of software when the download provider doesn’t publish hashes?
When I generate an MD5 hash with a plain-text (password), I get:
$echo -n "password" | openssl dgst -md5 -binary | openssl enc -base64
X03MO1qnZdYdgyfeuILPmQ==
This works fine if I knew the plain-text, but I got an MD5 Hex stri… Continue reading MD5 Hex to Base64 String
I already know how to use password_verify and password_hash functions, but I don’t really understand how they work.
When I use them I do something like that:
$save_hash = password_hash( $password, PASSWORD_DEFAULT );
$check = password_veri… Continue reading How password_hash / password_verify can work with any arguments (PHP)
I’m trying to build a list of configuration files that store secrets in Linux. By secrets I mean files that contains passwords, database string connection, hashes etc. The most notable example is, of course, /etc/shadow. /etc/pki/* is also… Continue reading Which config files in a linux install contain passwords or other secrets?
I would like to hash user password with Argon2id, then use this hash as ECDSA private key. I made some tests with Python and passlib.hash and found following parameters:
memory: 32 MB
iterations: 100
hash length: 32 bytes (the same as ECD… Continue reading How to assess security of Argon2 parameters [duplicate]
My users (researchers) will be storing where their website is on a mysql database on my server.
Ideally I want to hash the locations so that when the researchers’ participants submit their data to my server, I can confirm whether the websi… Continue reading one-way hash with PhP onto MySQL database (NOT for password)
When downloading files (mainly software/installers) from pages in browsers, sometimes it comes also with a cryptographic hash or a signature to verify the authenticity of a file against data manipulation (example below).
Why there isn’t … Continue reading Why there is nothing that automatically checks signatures of files downloaded in browsers? [duplicate]
Note: I’ve already read Is it ok to send plain-text password over HTTPS? and https security – should password be hashed server-side or client-side?, but here it’s about a specific replacement method (see below).
After reading an article a… Continue reading Alternatives for sending plaintext password while login