Collaborate Disseminate
I’ve read quite a bit of the StackExchange and HackerNews debates on the user of “peppers” in password hash security. There are a number of different implementations of the idea of a pepper, ranging from an additional hardcod… Continue reading Appending a secret (pepper) to Argon2 password hashes
Kerckhoffs’s second principle:
“It should not require secrecy, and it should not be a problem if it falls into enemy hands.”
Does the use of a pepper for passwords violate this principle, since the pepper is considered … Continue reading Does the use of pepper for passwords violate Kerckhoffs’s principle?
For the first time, a robot has been unionized. This shouldn’t be too surprising as a European Union resolution has already recommended creating a legal status for robots for purposes of liability and a robot has already been made a citizen of one country. Naturally, these have been done either to stimulate discussion before reality catches up or as publicity stunts.
What would reality have to look like before a robot should be given legal status similar to that of a human? For that, we can look to fiction.
Tony Stark, the fictional lead character in the Iron Man movies, …read more
How is a pepper (a large constant number) used after a password has been salted with a salt by a hashing function such as bcrypt?
From Sybex CISSP Official Study Guide, 8th Edition (2018):
Adding a pepper to a salted pas… Continue reading How is a pepper used with salted passwords?
My app is a educational game for elementary schools, involving no money or anything of value, so I am not worried about sophisticated attackers having any interest in this. Still, I would like to follow best practices in case… Continue reading Is a constant pepper at risk if an attacker knows the value and hash?
Pepper! If you’ve ever tried to grind it, you’ve probably noticed it takes a bit of elbow grease. It’s actually possible to source electric pepper mills to grind it for you, in fact. It just so happens that [MarioM66] had one to hand, and a door lock that needed automating.
Seeing as grinding pepper requires at least as much torque as turning an average key in an average lock, the electric pepper mill makes perfect sense to use as a lock actuator. This build actually uses the electric pepper mill to directly turn the key in the lock, courtesy of …read more
“Human relationships can be hard to define.” Continue reading I Talked to Four Humanoid Robots and They’re Mostly Dumb as Doornails
“Human relationships can be hard to define.” Continue reading I Talked to Four Humanoid Robots and They’re Mostly Dumb as Doornails
A system I’m working on accepts as input a customer account number and needs to generate a token based on it. We’re not allowed to store the plain text of the account number itself, so the goal of the token is as follows:
Account numbers resemble credit card numbers. They’re 16-digit long numeric strings; the first 4 characters are constant; the last character is a computable check digit. This means that the actual size of the input set is an 11 character numeric string: 99,999,999,999 possible permutations.
I’ve thought about the methods below. Assume hash means a sufficiently slow secure hash such as high iteration PBKDF2, bcrypt, or argon2 and encrypt means AES256.
1. Plain Hash
hash(account_num)
While being simple, this approach is easy to reverse via brute-force and is vulnerable to rainbow tables.
2. Per-Account Salted Hash
hash(salt + account_num)
This approach fixes vulnerability to rainbow tables, however, due to the limited size of input set is still easy to reverse via brute-force.
3. Per-user Salted Hash encrypted with Global Pepper
encrypt(hash( salt + account_num ), pepper)
This is based on Dropbox’s password storage mechanism. Reversing via brute-force requires leaking both the encrypted blobs and the encryption key. However, since encrypting the same value twice with the same key results in different output blobs, this breaks the ability to select an account from the database by account number.
4. Hybrid Approach
What this accomplishes:
My question: Does approach 4 actually make sense? For the extra security it provides, is it overly complicated? Does it have flaws I haven’t thought about? Most of all, is there a simpler way to solve this problem?
Context: A website is hosted on multiple dedicated servers. There are frontend webservers, backend DB servers and other servers between them.
The DB holds user’s accounts passwords. All connections are secure and the registra… Continue reading Hashed passwords storage: iterations vs entropy