On Oct 28, Alexander Burger scribed: > On Wed, Oct 27, 2010 at 04:21:45PM -0400, David N Murray wrote: > > Or simply create an account for yourself and analyze the encryption of > your own password in the client. As the client needs the full > information, including the encryption keys, you might crack it easily.
It seems to have been lost somewhere along the way, but my original email indicated I use a one-way hash of the password (a la crypt(), but there are better nowadays, like http://www.webtoolkit.info/javascript-sha256.html). No key required. Algorithm is well documented and delivered to the client in javascript. I think it's interesting that you suggested a brute-force attack. By brute-force, do you mean every possible combination? I recall reading recently that the US FBI had an Orgranized Crime boss' encrypted hard drive in its posession for several years and couldn't crack it. The impression I got from the article was that they were using a dictionary attack. Dave -- UNSUBSCRIBE: mailto:[email protected]?subject=unsubscribe
