Questions tagged [password-hashing]
Irreversibly converting user-selected passwords into authentication tokens that can be safely stored e.g. in a user database. Typically done with a salted password-based key derivation function (PBKDF), ideally with a memory-hard mixing stage to thwart brute-force attacks using parallel hardware.
297 questions
4 votes
1 answer
259 views
Probability of success of password search under assumptions on the distribution
Adversaries got hold of a database of password hashes. They want to find the password for at least one of the hash. They'll try $k$ passwords on each of $h$ hashes. We assume they know enough about ...
- 151k
4 votes
3 answers
612 views
Switching Hashing from BCrypt to Argon2 in a SpringBoot Applciation
We have a spring boot application, which previously used BCrypt to hash the passwords. Those hashed passwords eventually ended up in database. Now the ask is to switch the hashing algorithm to Argon2. ...
- 151
2 votes
1 answer
123 views
Password hashing for key derivation versus authentication
Is the only difference between password hashing for deriving a key versus for verifying a password in how the algorithms are used? That the design requirements for an algorithm for either are ...
- 4,328
1 vote
1 answer
217 views
Viablity of CPRNG's constructed from simple number fields
Playing around with some ideas for a hash-function using simple primitives, I came up with this construction: Select two large safe primes, $B$ and $M$, where $B < M$. Define $C$ as the ...
- 65
2 votes
0 answers
58 views
How is the salt/seed generated in Cisco IOS password encryption type 7?
So the Cisco IOS password "encryption" type 7 uses the 4 bit salt/seed to decide which part of the static key to start encrypting from, but I can't find any details on how this salt is ...
- 1,124
1 vote
0 answers
55 views
Could a Blockchain-Based System with Self-Replicating and Self-Destructing Nodes Work?
Would it be feasible to create a blockchain-based system where data hashes are stored in the blockchain, replicated across all nodes, and protected by a self-destruct mechanism? In this system, if a ...
- 11
1 vote
1 answer
194 views
What Makes a 2SKD (Two-Secret Key Derivation) Secure?
I'm currently studying the security mechanisms used by 1Password, particularly the Two-Secret Key Derivation (2SKD) sequence as described in section 8.2.1 of their white paper. Here's the specific ...
2 votes
1 answer
184 views
7-Zip AES-256: The difference between hashing $2^{19}$ and $2^{24}$ times
Stock 7-Zip AES-256 encryption runs your password through a hash function 524,288 times ($2^{19}$). Source 1 Source 2 This is considered to be Not very good compared to a standard amount of Argon2 or ...
- 21
0 votes
0 answers
62 views
Safety of password manager algorithm
I would like to ask about vulnerabilities of the following algorithm for a password manager. It is structured as follows: There is a master password UTF-8 10 characters long, not to be stored anywhere....
- 137
3 votes
2 answers
183 views
HMAC vs PBKDF2 for combining keys
I have 2 unique random 256-bit keys, 1 is public, 1 is secret that need to be combined into 1 secret key. In my search, I found that HMAC is more suited for this purpose and does not require an ...
- 205
5 votes
1 answer
166 views
Should the salt be used for data-independent memory access in password hashing algorithms?
For password hashing, is it better to compute a pseudorandom data-independent memory access pattern using the salt, the cost parameters (memory size, iterations, and parallelism), or some other way? ...
- 2,270
0 votes
1 answer
123 views
database encryption scheme salt storage
I'm thinking about a page-level encryption scheme for a database, the general structure would be something like the following: Derive KEY from PASSWORD and SALT using libsodium's Argon2ID Encrypt ...
0 votes
0 answers
79 views
Why can’t you reverse a hash? [duplicate]
I am new to cyber security and I do know the basics of password hashing works. However, I have not been able to find an answer online to my query- although I think that it is a stupid and somewhat ...
0 votes
1 answer
125 views
Is security of Manuel Blum's Mental Hash function dependent on Security Through Obscurity for it's effectiveness?
I have been practicing using Manuel Blum's Mental Hash Function for personal use, described in the link below: Mental Cryptography and Good Passwords However, Rob Shearer has shown that the function ...
- 21
1 vote
1 answer
215 views
What is the purpose of making salted passwords public?
So I was reading through an article about how passwords are salted and hashed through a cryptographic function here, and found out that hashed passwords, along with the plaintext salt values are ...
- 111