[cryptography] pypass, a HMAC-based passphrase generator

travis+ml-rbcryptography at subspacefield.org travis+ml-rbcryptography at subspacefield.org
Tue Oct 5 17:56:09 EDT 2010


On Wed, Sep 29, 2010 at 08:42:30PM -0400, Jack Lloyd wrote:
> On Wed, Sep 29, 2010 at 04:31:57PM -0700, travis+ml-rbcryptography at subspacefield.org wrote:
> > Should I use PBKDF2 instead of hashing master pass?
> 
> Without it, it would be pretty easy for someone with access to a
> single site password to go backwards.

You mean guess/brute force the master, compute the site pass, and
compare to what they know?

That's the only attack I can think of.  I grant you that hint is
non-secret, that's an assumption in my design.

Unfortunately PBKDF2 doesn't actually increase the guessing entropy,
just increases the time required for each guess, and makes it
non-parallelizable.  I think the right answer is "lots of states"
but increasing cost of guessing wouldn't hurt.
-- 
I find your ideas intriguing and would like to subscribe to your newsletter.
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20101005/039a9f3b/attachment.asc>


More information about the cryptography mailing list