Timeline for Correct way of encrypting user passwords
Current License: CC BY-SA 3.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 26, 2021 at 10:14 | vote | accept | Nagarjuna Borra | ||
| Sep 27, 2015 at 18:32 | comment | added | Nagarjuna Borra | You are right, I framed my question wrong, also my understanding of the brute forcing is wrong. Regarding the 2'nd question, do you think deriving different keys is not any good (or worse), is using a single master key for all passwords more than enough? | |
| Sep 24, 2015 at 16:47 | comment | added | Tom Leek | If someone can encrypt passwords with the "master key" then that someone has the key, and you lost. A 256-bit master key, properly generated, cannot be brute-forced. A higher iteration count only turn an utterly impossible attack into another utterly impossible attack, so there is no actual gain. | |
| Sep 24, 2015 at 16:08 | comment | added | Nagarjuna Borra | 1. regarding PBKDF2, i didnt understand why iterations should be low in our case, will it not make easier for someone who is trying to do a bruteforce attack? (i did get the 'master key is not a password, but a long random data, so bruteforcing is fruitless' part, but what if someone tries to have a list of passwords, encrypt each and compare them with the encrypted data, surely slowness would help right) 2. is 'different derived keys' not worthy than 'same master key'? (my concern being here is - even if someone deduces a user's derived key, he would not be able to deduce others) | |
| Sep 24, 2015 at 16:06 | comment | added | Nagarjuna Borra | thank you very much for the pointers, especially the IV one few queries(asking them out of curiousity :)) in below comment | |
| Sep 24, 2015 at 12:53 | history | answered | Tom Leek | CC BY-SA 3.0 |