Thomas Hartman wrote:
> http://hackage.haskell.org/cgi-bin/hackage-scripts/package/PBKDF2
>
> Since no one took up my code review request I just did the best I
> Also I'm open to folding this into a more established crypto package
> if there are any takers... psst, dominic.
I've now had chance t
Thomas Hartman wrote:
> http://hackage.haskell.org/cgi-bin/hackage-scripts/package/PBKDF2
>
> Since no one took up my code review request I just did the best I
> could and uploaded to hackage. There were indeed some mistakes in my
> initial post, fixed now. (Code review is still wished, though!)
>
http://hackage.haskell.org/cgi-bin/hackage-scripts/package/PBKDF2
Since no one took up my code review request I just did the best I
could and uploaded to hackage. There were indeed some mistakes in my
initial post, fixed now. (Code review is still wished, though!)
Alas, documentation doesn't buil
Sorry about the hideous formatting above. Reattached as a text file.
t.
2008/11/26 Thomas Hartman <[EMAIL PROTECTED]>:
> OK, I went ahead and implemented pbkdf2, following the algorithm
> linked to by bulat and Michael.
>
> If there are any crypto gurus who can code-review this I would be much
>
What you are using there is not a salt, but rather a secret key. The
important thing about a salt is that it is different for _every user_.
and you actually store the salt unhashed along with the hash. (it is not
secret information). A salt protects against a dictionary attack, for
instance, you mi
OK, I went ahead and implemented pbkdf2, following the algorithm
linked to by bulat and Michael.
If there are any crypto gurus who can code-review this I would be much
obliged, and when I'm confident enough that this does the right thing
I'll put it up on hackage.
I don't do much crypto so this *
8:38 AM
To: Bulat Ziganshin; haskell-cafe; HAppS
Subject: Re: Re[2]: [Haskell-cafe] Password hashing
What does haskell cafe think of the following module for drop-in
password hasing for webapps? Seem reasonable?
import Data.Digest.SHA512 (hash)
import qualified Data.ByteString as B'
import
Just to note, the comment about md5 is incorrect. I switched to SHA512
as you can see in the code.
2008/11/25 Thomas Hartman <[EMAIL PROTECTED]>:
> What does haskell cafe think of the following module for drop-in
> password hasing for webapps? Seem reasonable?
>
> import Data.Digest.SHA512 (hash)
What does haskell cafe think of the following module for drop-in
password hasing for webapps? Seem reasonable?
import Data.Digest.SHA512 (hash)
import qualified Data.ByteString as B'
import qualified Data.ByteString.Char8 as B
-- store passwords as md5 hash, as a security measure
scramblepass ::
to expand on this:
Bulat Ziganshin wrote:
> 1) without salt, it's not serious - easily breaked by dictionary
> attack
and this:
Thomas Schilling wrote:
> In general, it is recommended that password hash functions are
> comparatively *slow* in order to make offline attacks harder. You can
> some
Hello Thomas,
Thursday, October 30, 2008, 3:32:46 PM, you wrote:
> No salt, but apart from that, should be fine, right?
1) without salt, it's not serious - easily breaked by dictionary
attack
2) afair, md5 isn't condidered now as cryptographic hash
--
Best regards,
Bulat
Hello Bit,
Wednesday, October 29, 2008, 4:32:51 PM, you wrote:
>> It's a good idea to salt your passwords before hashing, though. See
> What can be used for generating a random salt? Is System.Random secure enough?
if you use mkStdRNG it's good enough for non high-secure programs. it
inits rnd g
12 matches
Mail list logo