On Oct 28, Alexander Burger scribed:

> On Wed, Oct 27, 2010 at 04:21:45PM -0400, David N Murray wrote:
>
> Or simply create an account for yourself and analyze the encryption of
> your own password in the client. As the client needs the full
> information, including the encryption keys, you might crack it easily.

It seems to have been lost somewhere along the way, but my original email
indicated I use a one-way hash of the password (a la crypt(), but there
are better nowadays, like
http://www.webtoolkit.info/javascript-sha256.html).
No key required.  Algorithm is well documented and delivered to the client
in javascript.

I think it's interesting that you suggested a brute-force attack.  By
brute-force, do you mean every possible combination?  I recall reading
recently that the US FBI had an Orgranized Crime boss' encrypted hard
drive in its posession for several years and couldn't crack it.  The
impression I got from the article was that they were using a dictionary
attack.

Dave
-- 
UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to