On Sunday, January 22, 2017 at 7:52:42 PM UTC-8, Alex Glaros wrote: > > had not seen the reports Dave, thanks for confirming the concern > > any ideas on how to generate a key? How long must it be? Would not tend > to trust online generator... > > Alex >
I use KeePass for storing my collection of personal passwords. It is happy to generate a random key for me, and as of v1.31 was defaulting to 111 bits (20 characters), but still showed "green" for 80 bits (15 characters). If you make passwords that you can remember (I do for some), there's the problem of dictionary attacks speeding up the brute force cracking, and the common obscuring techniques merely force a larger dictionary. And with GPUs not yet having reached their theoretical limit, 111 bits may soon be in the reach of home hackers. Two factor schemes or hardware keys would still be indicated for anything requiring serious protection. Also, encrypting the database is a good way to provide protection for "data at rest", but it may still be necessary to think about "data in flight" in a rigorous way. Enforcing HTTPS and banning the broken versions of TLS is part of how that's being addressed, but servers may be vulnerable to shared memory exploits (which also exposes passwords), and clients may also be vulnerable (but if you can limit the data exposed to the client ...). Sorry, Massimo got me started attending OWASP meetings, and I've picked up some of what they are saying. /dps -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
