On May 28, 2015 10:11 AM, "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
On Thu, May 28, 2015 at 5:29 AM, Robert Kisteleki <robert@ripe.net> wrote:
Bcrypt or PBKDF2 with random salts per password is really what anyone storing passwords should be using today.
One thing to remember is the hardware determines number of rounds. So while my LUKS (PBKDF2) pass on my laptop or servers have a few 10k rounds, that same pass on a Pi or so would only have 1k rounds (minimum rec).
I get the feeling that, along with things like 'email address verification' in javascript form things, passwd storage and management is something done via a few (or a bunch of crappy home-grown) code bases.
Not generally passwords per se but session tokens and the like, sure (almost as bad).
Seems like 'find the common/most-used' ones and fix them would get some mileage? I don't imagine that 'dlink' (for example) is big on following rfc stuff for their web-interface programming? (well, at least for things like 'how should we store passwds?')
Heh, I started on a fuzzer that'd take a few strings and run them through recipes (base 32/64, rot, xor 1 or 0, etc) and try to find human strings along the way. If multiple strings match a recipe, you can generate your own sessions.