lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Jan 2014 13:39:07 -0500
From: Bill Cox <>
To: Krisztián Pintér <>
Subject: Re: [PHC] Native server relief support for password hashing in browsers

On Sun, Jan 19, 2014 at 1:16 PM, Krisztián Pintér <> wrote:
> Bill Cox (at Sunday, January 19, 2014, 7:03:22 PM):
>>> it is getting to be my pet peeve, but i think we badly need some
>>> randomized blinding.
>> This is one reason I like Blakerypt's session key idea.
> last time i explained that, you called me a dork and another adjective
> i don't remember now. what happened? you have leveled up since? or
> became a dork yourself?

Yes, I have been a dork.  Sorry about that.  I have in common with you
a tendency to color what I say with strong feelings, and that gets me
in trouble.

Assuming you can get forgive my past crude remarks, I would be
interested if we're actually both concerned about the same issue:
memory leaks as the main threat against memory hard KDFs, and I am
interested in your thoughts on Blakerypt style mitigation techniques,
and if such protection can be extended to client-side hashing.


Powered by blists - more mailing lists