Support for "slower" hashes? #9
Comments
|
I'd like to have a look on that after the first release. Or you can create a pull-request and I'll be glas to review it. ;-) |
|
Seems like what you probably would want for this is to use a password-based key derivation function, such as PBKDF2 or newer algorithms - the basic idea is to take the password and hash it, then hash that, then hash that, ... ie do some arbitrary iterations of hashing to increase the computational cost to the desired level. This isn't actually the algorithm, but that's the idea. It will slow down the user trying to derive their password for a site, but someone trying to bruteforce the master password based on a known site password will have to pay this performance cost for every guess, making it impractical. On the other hand if this is being done in JavaScript, the attacker could run this on a crypto currency mining rig that has been optimized to do tons of hashes per second. Such algorithms are commonly used in disk encryption and more info can be found here: |
First, thanks for the new passhash-ng! It looks great!
Also a question - I was using my own forked version of passhash for a long time, mostly because I could not land my "sha512crypt" branch [1] upstream (because upstream had moved on by this time). The rational behind this PR was to add one more level of defence by making the hash slower on purpose so that if someone captures the plain text of a generated password it is harder to do a dictionary attack on that to find the master password. The old article I read back in the day in [3] - probably outdated by now
So I wonder if you would be interested in supporting additional hash functions like sha512crypt [2] or bcrypt or similar? Happy to help with this if you agree that it can be integrated.
[1] mvo5/PassHash@77820f4
[2] Pure JS e.g. https://github.com/mvo5/sha512crypt-node
[3] http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
The text was updated successfully, but these errors were encountered: