Collaborate Disseminate
I am writing a Java application that is required to locally authenticate a user with a password and then use the password to generate an AES-256 key for local file encryption/decryption.
I understand the principles behind everything and h… Continue reading Using PBKDF2 for hash and AES key generation implementation
I’m building a small command line tool (mostly for fun) that is meant to store data (such as passwords or files) encrypted into a local database, with a user supplied password, pretty much the same functionallity as KeePass.
… Continue reading Review on encrypted data storage algorithm
Does anybody use deliberately short hash lengths for passwords to increase the chance of false positive collisions in the event of a brute force attack on the database?
When trying to decide on a hash length, my default assu… Continue reading Protecting Passwords Using Short Hash Length
wpa_passphrase “testing” “testingpassword”network={
ssid=”testing”
#psk=”testingpassword”
psk=ae9400eac47807861c32f6b2d52434594fe1f1cbbd5ae0d89d5199ea5e4c79aa
}
I did a python script as this wikipedia article te… Continue reading Python wpa_passphrase (linux binary) implementation generates only part of the psk
wpa_passphrase “testing” “testingpassword”network={
ssid=”testing”
#psk=”testingpassword”
psk=ae9400eac47807861c32f6b2d52434594fe1f1cbbd5ae0d89d5199ea5e4c79aa
}
I did a python script as this wikipedia article te… Continue reading Python wpa_passphrase (linux binary) implementation generates only part of the psk
Why when we sign up on sites like Facebook and Gmail do our passwords have to be 8-12 characters in length, or some other cap? 8-12 spaces are finite, but you can make your passwords more “secure” by adding uppercase letters … Continue reading Why is there a Cap on Password length?
I have made a website, in which on login I am using pbkdf2_sha256 for password hashing. I have used salt also.
I want to make a simple software just for the experience, I want to login into the c# software using same credenti… Continue reading How to implement pbkdf2_sha256 in c# [migrated]
Is it safe to generate a public/private key pair from a users password using PBKDF2, and send the public key to the server to store as the user’s key? Then when the user logs in, it would again generate the private key from t… Continue reading Use Public/Private key pair for password authentication
I want to implement an authentication system by following good practices, i want it as simple as possible and secured (im not going to implement some magic hashing function or something to feel a hero..) just wanting to use already known hash but not sure the right way of using it.
I read some articles on how Lastpass (a password management company) mange to handle their authentication and i loved their idea.So i wanted to implement my own authentication based on it.
Basically im creating an authentication key from the password on the client side (so the password is never sent as a plan text to the server).
that authentication key im sending to the server than do some hashing operations also in the server side and compare the result to the one inside the database.
On my client side:
auth_key = PBKDF2(SHA256, password+username, last_login_fe_salt, fe_rounds)
explanation – hashing password+username+last_login_fe_salt text fe_rounds times
last_login_fe_salt -> a random salt sent to the user once he/she input their username in text field –
To be honest, not sure how this last_login_fe_salt is efficent for the cryptography against Dictionary attacks but atleast two people having the same password will send different hashes on their network.
any hacker can get this data by asking from the server, i can add server side limitations (req/s if it makes some difference etc.. let me know what you think) also adding captcha might be a good idea. When a user logged in successfuly the server generates a new random string and saves in into the database.
*I didnt see any explanation which salt Lastpass uses on their client side hashing, they are using PBKDF2 algorithm that needs a salt parameter.
fe_rounds -> number of rounds given by the server when typing username –
its fixed for everybody and configurable by the server, also in articles i read about Lastpass they dont explain from where they receive the client side number of rounds…
so now we send auth_key as is to the server…
On my server side
now we are creating a new hash to compare the one inside the db.
Why another hash? if i understand correctly we bind the hash for server side data, like a combination of a password (that only the user knows) and server data.
db_auth=PBKDF2(SHA256, auth_key, user_be_salt, 100,000+user_configurable_rounds)
user_be_salt -> a random number that saved in db known only to the server and the ones who obtain the database, this changes on every successful login.
user_configurable_rounds -> number of iterations, every user can choose the amount of iterations (like in Lastpass) so attacker need also to guess the number or iterations?
I would be happy to hear what do you think about this authentication system, if its wrong than explain to me why and tell me what Lastpass do because i did not understand their entire authentication flow.
If you already have SHA1 hashed passwords and you’re trying to migrate to a better password hashing algorithm, is it less secure to just use PBKDF2 to hash the SHA1 hashes you already have instead of migrating users over when… Continue reading Is it insecure to use PBKDF2 on a SHA1 hashed password?