Collaborate Disseminate
So if I got this right from my intense research, the following procedure would be preferrable:
Use the PBKDF2 key derivation function to derive a secret key from the users password on the client side.
Use the derived key, which was generat… Continue reading Algorithms when using client side hashing plus server side hashing
I have some passwords hashed with C# using Rfc2898DeriveBytes.Pbkdf2(bytes,src,5000,HashAlgorithmName.SHA1,24) (an older implementation) and would like to port this code to java.
However I don’t seem to get the two hashes to be the same.
… Continue reading Working Rfc2898DeriveBytes.Pbkdf2 in Java [migrated]
Question:
I am working on a password-based file encryption and decryption system in Python using the PBKDF2 key derivation function and Fernet encryption. I have a specific requirement: I want to verify a user’s password without storing th… Continue reading Verification of Password without Storing Hash – Security Considerations
For a web service, I am considering generating random 25-49 recovery codes as a kind of pass that can be stored in a pass manager (no usernames).
Instead of pass(word) hashing on the server, I consider hashing the pass on the client with p… Continue reading Is pass -> [via pbkdf2] -> seed -> ECDSA key pair better than pass(word) hashing?
We (collectively) salt passwords, then hash them; maybe even run them through something like PBKDF2 first (depending on how the password will be used).
The end result is that we have a string p and map it to a fixed-length string p’ using … Continue reading How certain is it that a shorter password can’t match the salted hash of a long one? [migrated]
I have a PCKS#8 RSA Key encrypted with a passphrase and would like to retrieve the iteration count used for the PBKDF2 used to derive the AES Key used for encryption, in order to make sure that they conform to the standard https://www.rfc-… Continue reading OpenSSL get PKCS#8 encrypted rsa PBKDF2 iteration count
I am looking for a technical estimate of how bad the situation is regarding the recent hack of lastpass. The hack was covered by several outlets: Naked Security, Ars Technica.
Lastpass has admitted that a hack took place over its servers a… Continue reading What is the math behind iterations in PBKDF2-SHA256 for lastpass users?
It’s not just the hashing, by the way. It’s the salting and the stretching, too! Continue reading Serious Security: MD5 considered harmful – to the tune of $600,000
I am trying to better understand the processes involved in e2ee using WebCrypto on the browser.
I understand that the only real method to use a passphrase to generate a symmetric key on the browser is using PBKDF2 using a crypto random sal… Continue reading Can parts of WebCrypto AES-GCM be reused between encryptions
I’m implementing encryption in one of my webextension which will encrypt locally stored data.
I have a single master CryptoKey (AES-GCM) that encrypts everything.
And this master key is then encrypted (using crypto.subtle.wrapKey) with:
u… Continue reading How long "digits-only recovery code" is secure enough?