RT @bascule @tqbf @Walshman23 @typed that's like saying use MD5 for pswd storage requires good salt mgmt < You crackin' HMAC-SHA256? LOL
-
-
Replying to @manicode
@manicode@tqbf@Walshman23@typed if I know the key, and it's a HMAC of a low entropy string, sure1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@tqbf@Walshman23@typed Yup! If you have the HMAC key you are just haskcracking. This depends on key management/crypto isolation.3 replies 0 retweets 0 likes -
Replying to @manicode
@manicode@tqbf@Walshman23@typed what you're proposing is the effectively the same as using the same salt for every password o_O1 reply 0 retweets 1 like -
Replying to @bascule
@bascule@manicode@tqbf@Walshman23 I don't see why the HMAC is necessary. Isn't this just per-user salt + secret global salt hashes?1 reply 0 retweets 0 likes -
Replying to @typed
@typed@manicode@tqbf@Walshman23 if you did salt' = HMAC(k, salt) and PHF(salt', password, [, factors]) that'd be cool1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@typed@tqbf@Walshman23 So what KDF do you use and what work factor do you use with it, can you say?1 reply 0 retweets 0 likes -
Replying to @manicode
@manicode@typed@tqbf@Walshman23 presently using bcrypt, will keep it at that ;) We aren't having "scaling problems" with it yet1 reply 0 retweets 0 likes -
Replying to @bascule
@bascule@typed@tqbf@Walshman23 What bcrypt work factor are you using may I ask?2 replies 0 retweets 0 likes
@manicode @typed @tqbf @Walshman23 nontrivial ;)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.