On 01/15/2014 08:33 AM, Kurt Roeckx wrote: > On 2013-12-17 16:02, Stéphanie Ouillon wrote: >> Hi, >> >> I'm in the Firefox OS Security team and I'm starting working on adding >> support for stronger passwords in the Firefox OS lockscreen (bug 877541) >> [1]. >> At the moment, only a 4-digit password can be configured and we want to >> improve that for FxOS 1.4 (March 2014). >> >> Some time ago, David Dahl provided on a patch for having hashing >> functions in Gecko: it's a JSM living next to the SettingsManager for >> FxOS [2]. Supported algorithms are sha256, sha384 and sha512. >> >> But having a set of hashing functions that could be called from anywhere >> would definitely be best. > > I'm confused what passwords have to do with hashes. Do you want to > store hash(pass)? This is a bad idea, please use something that is > designed to store passwords instead like bcrypt, scrypt or PBKDF2.
Excellent point. (I assumed they wanted access to the underlying hash functions so they could build PBKDF2 or similar). PBKDF2 is implemented in CryptoUtils.js [0], along with some other convenience functions. I don't think this is exposed as the kind of API OP is looking for, but perhaps it could be. [0] http://dxr.mozilla.org/mozilla-central/source/services/crypto/modules/utils.js Another option would be to use JS implementations of password hashing functions (or Emscripten-compiled native versions of the same, which should get near-native performance, especially important for slow hash functions). For example: * https://github.com/tonyg/js-scrypt (Emscripten-compiled) * https://code.google.com/p/crypto-js/ (includes PBKDF2) > > Kurt > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
