On Wed, May 30, 2012 at 3:25 PM, Maarten Billemont <lhun...@lyndir.com> wrote: > I'm currently considering asking the user for their full name and using that > as a salt in the scrypt operation. Full names are often lengthy and there's > a good deal of them. Do you recon this might introduce enough entropy or > should I also be asking for the user's birth date? I'm just thinking that > this is good information that will make for a wide enough range of different > salts that it will hopefully make rainbow tables too expensive while still > avoiding the problem that a user cannot remember any random salt of such > entropy.
My problem with your design is that the statelessness of it forces you to depend on a really, really good master password, because otherwise any site [to which the user gives a password generated this way] can then mount an off-line dictionary attack on the user's master password. This means that the user needs to have such a strong password that it's likely not practical. PBKDFs with large work/memory factors are useful when the attacker has to compromise some other part of the system in order to be able to mount an off-line dictionary attack on the password. A scheme that exposes material suitable for attacking without any other protections is weak. Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography