xpra icon
Bug tracker and wiki

Changes between Version 40 and Version 41 of Authentication


Ignore:
Timestamp:
04/22/18 17:51:32 (2 years ago)
Author:
Antoine Martin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Authentication

    v40 v41  
    118118* if you are concerned about security, use SSH as transport instead
    119119
     120[[BR]]
     121
    120122== Salt handling is important ==
     123* [https://crypto.stackexchange.com/a/34162/48758 64-bit entropy is nowhere near enough against a serious attacker]: ''If you want to defend against rainbow tables, salts are inevitable, because you need a full rainbow table per unique salt, which is computationally and storage-wise intense''
    121124* [https://blog.mozilla.org/security/2011/05/10/sha-512-w-per-user-salts-is-not-enough/ SHA-512 w/ per User Salts is Not Enough]: ''In the event the hash was disclosed or the database was compromised, the attacker will already have one of the two values (i.e. the salt), used to construct the hash''
    122125* [https://news.ycombinator.com/item?id=1998198 about hmac]: ''Those people should know that HMAC is as easy to precompute as naked SHA1 is; you can "rainbow-table" HMAC''