I just published “Password and Credential Management in 2018
”https://medium.com/p/password-and-credential-management-in-2018-56f43669d588 …
-
-
I'm not sure if I understand your example. Could you explain that a little bit more? Thanks
Regarding SHA3 and HMAC: I had a short discussion in Reddit about using KMAC instead of SHA3, but dropped the thought, as I have never used it and therefore won't recommend it to others -
The example shows that concatenating two variable-length strings can produce a collision. I also wouldn't recommend KMAC. My recommendation of HMAC-SHA256 is because it's widespread. It's especially good fit for use with yescrypt, which includes it in the tree anyway.
-
BTW, you would need to do this pre-hashing server-side for the relatively few clients that lack client-side computation (JavaScript disabled, e.g. like it often is in Tor Browser).
End of conversation
New conversation -
-
-
Memory for scrypt and Argon2 to be obviously stronger than bcrypt against GPUs (not specialized ASICs, where scrypt and Argon2 obviously win even at low memory) is similar (tens of MB), and this does not translate to "multiple seconds" (it's on the order of 100ms latency).
-
Thanks for the clarification!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.