home.social

#pbkdf2 — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #pbkdf2, aggregated by home.social.

  1. Три архитектурных решения для multi-tenant B2B SaaS, о которых я пожалел, что не узнал раньше

    Самая дорогая ошибка моего B2B SaaS имела ровно одну строчку Самая дорогая ошибка моего B2B SaaS имела ровно одну строчку: TENANT_ID = “tenant-1” в config.py . Полтора дня поиска бага показали, почему multi-tenant архитектуру нужно закладывать с первого коммита. Разбор трёх архитектурных решений для multi-tenant SaaS в регулируемой отрасли — tenant_id helper, PostgreSQL EXCLUDE USING gist против double-booking, 152-ФЗ как код на FastAPI и SQLAlchemy.

    habr.com/ru/articles/1033488/

    #multitenant #fastapi #postgresql #sqlalchemy #exclude_using_gist #argon2id #pbkdf2 #152фз #audit_log #b2b_saas

  2. Три архитектурных решения для multi-tenant B2B SaaS, о которых я пожалел, что не узнал раньше

    Самая дорогая ошибка моего B2B SaaS имела ровно одну строчку Самая дорогая ошибка моего B2B SaaS имела ровно одну строчку: TENANT_ID = “tenant-1” в config.py . Полтора дня поиска бага показали, почему multi-tenant архитектуру нужно закладывать с первого коммита. Разбор трёх архитектурных решений для multi-tenant SaaS в регулируемой отрасли — tenant_id helper, PostgreSQL EXCLUDE USING gist против double-booking, 152-ФЗ как код на FastAPI и SQLAlchemy.

    habr.com/ru/articles/1033488/

    #multitenant #fastapi #postgresql #sqlalchemy #exclude_using_gist #argon2id #pbkdf2 #152фз #audit_log #b2b_saas

  3. Три архитектурных решения для multi-tenant B2B SaaS, о которых я пожалел, что не узнал раньше

    Самая дорогая ошибка моего B2B SaaS имела ровно одну строчку Самая дорогая ошибка моего B2B SaaS имела ровно одну строчку: TENANT_ID = “tenant-1” в config.py . Полтора дня поиска бага показали, почему multi-tenant архитектуру нужно закладывать с первого коммита. Разбор трёх архитектурных решений для multi-tenant SaaS в регулируемой отрасли — tenant_id helper, PostgreSQL EXCLUDE USING gist против double-booking, 152-ФЗ как код на FastAPI и SQLAlchemy.

    habr.com/ru/articles/1033488/

    #multitenant #fastapi #postgresql #sqlalchemy #exclude_using_gist #argon2id #pbkdf2 #152фз #audit_log #b2b_saas

  4. Три архитектурных решения для multi-tenant B2B SaaS, о которых я пожалел, что не узнал раньше

    Самая дорогая ошибка моего B2B SaaS имела ровно одну строчку Самая дорогая ошибка моего B2B SaaS имела ровно одну строчку: TENANT_ID = “tenant-1” в config.py . Полтора дня поиска бага показали, почему multi-tenant архитектуру нужно закладывать с первого коммита. Разбор трёх архитектурных решений для multi-tenant SaaS в регулируемой отрасли — tenant_id helper, PostgreSQL EXCLUDE USING gist против double-booking, 152-ФЗ как код на FastAPI и SQLAlchemy.

    habr.com/ru/articles/1033488/

    #multitenant #fastapi #postgresql #sqlalchemy #exclude_using_gist #argon2id #pbkdf2 #152фз #audit_log #b2b_saas

  5. New blog post:
    I demo cracking SQL Server 2025 login passwords offline.
    hashcat is currently the only viable tool for auditing SQL Server 2025 login passwords.

    The results show how #PBKDF2 slows down brute-force attacks both inside and outside of SQL Server compared to the pre-2025 hashing algorithm.

    Full methodology, benchmarks, and code included.
    vladdba.com/2026/04/16/crackin
    #sqlserver #sqldba #microsoftsqlserver #hashcat #cybersecurity #infosec #sql

  6. New blog post:
    I demo cracking SQL Server 2025 login passwords offline.
    hashcat is currently the only viable tool for auditing SQL Server 2025 login passwords.

    The results show how #PBKDF2 slows down brute-force attacks both inside and outside of SQL Server compared to the pre-2025 hashing algorithm.

    Full methodology, benchmarks, and code included.
    vladdba.com/2026/04/16/crackin
    #sqlserver #sqldba #microsoftsqlserver #hashcat #cybersecurity #infosec #sql

  7. GreatEasyCert или как реализовать контейнер ключа по ГОСТу

    Привет, Хабр! Меня зовут Гоша, я старший инженер-программист в Контуре. Практически любой сценарий ЭДО связан с использованием криптографии, будь то ЭДО с государством или контрагентами: где-то нужно подписать документы, где-то зашифровать архив с отчетом, где-то проверить подпись документа от контрагента. Каждый из таких сценариев хочется тестировать не на реальных данных, но на наиболее похожих в реальности. Помимо самих данных нам нужны сертификаты, имитирующие сертификаты участников ЭДО: организаций, физлиц, государственных органов. Ранее для генерации тестовых сертификатов мы использовали сервис на базе ПАК УЦ , проприетарной штуки, выпускающей сертификаты по определённым правилам, не позволяя издеваться над сроками действия серта как хочется. Отсюда появилась идея в качестве эксперимента написать небольшой сервис, который мог бы генерировать какие угодно сертификаты с ГОСТ-алгоритмами, но при этом успешно работающие с КриптоПро. В этой статье хочу поделиться, какая техника скрывается под капотом такой функциональности.

    habr.com/ru/companies/skbkontu

    #net #криптография #криптопро #сертификаты #pki #гост_34 #pfx #pbkdf2 #pbes2 #криптопровайдер

  8. GreatEasyCert или как реализовать контейнер ключа по ГОСТу

    Привет, Хабр! Меня зовут Гоша, я старший инженер-программист в Контуре. Практически любой сценарий ЭДО связан с использованием криптографии, будь то ЭДО с государством или контрагентами: где-то нужно подписать документы, где-то зашифровать архив с отчетом, где-то проверить подпись документа от контрагента. Каждый из таких сценариев хочется тестировать не на реальных данных, но на наиболее похожих в реальности. Помимо самих данных нам нужны сертификаты, имитирующие сертификаты участников ЭДО: организаций, физлиц, государственных органов. Ранее для генерации тестовых сертификатов мы использовали сервис на базе ПАК УЦ , проприетарной штуки, выпускающей сертификаты по определённым правилам, не позволяя издеваться над сроками действия серта как хочется. Отсюда появилась идея в качестве эксперимента написать небольшой сервис, который мог бы генерировать какие угодно сертификаты с ГОСТ-алгоритмами, но при этом успешно работающие с КриптоПро. В этой статье хочу поделиться, какая техника скрывается под капотом такой функциональности.

    habr.com/ru/companies/skbkontu

    #net #криптография #криптопро #сертификаты #pki #гост_34 #pfx #pbkdf2 #pbes2 #криптопровайдер

  9. GreatEasyCert или как реализовать контейнер ключа по ГОСТу

    Привет, Хабр! Меня зовут Гоша, я старший инженер-программист в Контуре. Практически любой сценарий ЭДО связан с использованием криптографии, будь то ЭДО с государством или контрагентами: где-то нужно подписать документы, где-то зашифровать архив с отчетом, где-то проверить подпись документа от контрагента. Каждый из таких сценариев хочется тестировать не на реальных данных, но на наиболее похожих в реальности. Помимо самих данных нам нужны сертификаты, имитирующие сертификаты участников ЭДО: организаций, физлиц, государственных органов. Ранее для генерации тестовых сертификатов мы использовали сервис на базе ПАК УЦ , проприетарной штуки, выпускающей сертификаты по определённым правилам, не позволяя издеваться над сроками действия серта как хочется. Отсюда появилась идея в качестве эксперимента написать небольшой сервис, который мог бы генерировать какие угодно сертификаты с ГОСТ-алгоритмами, но при этом успешно работающие с КриптоПро. В этой статье хочу поделиться, какая техника скрывается под капотом такой функциональности.

    habr.com/ru/companies/skbkontu

    #net #криптография #криптопро #сертификаты #pki #гост_34 #pfx #pbkdf2 #pbes2 #криптопровайдер

  10. GreatEasyCert или как реализовать контейнер ключа по ГОСТу

    Привет, Хабр! Меня зовут Гоша, я старший инженер-программист в Контуре. Практически любой сценарий ЭДО связан с использованием криптографии, будь то ЭДО с государством или контрагентами: где-то нужно подписать документы, где-то зашифровать архив с отчетом, где-то проверить подпись документа от контрагента. Каждый из таких сценариев хочется тестировать не на реальных данных, но на наиболее похожих в реальности. Помимо самих данных нам нужны сертификаты, имитирующие сертификаты участников ЭДО: организаций, физлиц, государственных органов. Ранее для генерации тестовых сертификатов мы использовали сервис на базе ПАК УЦ , проприетарной штуки, выпускающей сертификаты по определённым правилам, не позволяя издеваться над сроками действия серта как хочется. Отсюда появилась идея в качестве эксперимента написать небольшой сервис, который мог бы генерировать какие угодно сертификаты с ГОСТ-алгоритмами, но при этом успешно работающие с КриптоПро. В этой статье хочу поделиться, какая техника скрывается под капотом такой функциональности.

    habr.com/ru/companies/skbkontu

    #net #криптография #криптопро #сертификаты #pki #гост_34 #pfx #pbkdf2 #pbes2 #криптопровайдер

  11. Извлечение паролей из разных браузеров

    Если пользователь забыл мастер-пароль от парольного менеджера Bitwarden , 1Password , KeepassXC , то пароли невозможно восстановить. Другое дело — встроенные парольные менеджеры браузеров Chrome и Firefox, для расшифровки которых есть специальные инструменты. Этот факт следует иметь в виду при хранении пользовательских данных — и не допускать, чтобы злоумышленник получил физический или удалённый доступ к компьютеру с правами пользователя. Примечание: перечисленные ниже инструменты не работают с последними версиями браузеров и приведены исключительно в информационно-образовательных целях.

    habr.com/ru/companies/globalsi

    #парольные_менеджеры #взлом_паролей #парольные_хранилища #PBKDF2 #SHA256 #Chrome #Firefox #AES #Triple_DES #Firefox_Passwords_Decryptor #Browser_Cookie #куки #SQLite #cookiejar #CryptProtectData #CryptUnprotectData

  12. Извлечение паролей из разных браузеров

    Если пользователь забыл мастер-пароль от парольного менеджера Bitwarden , 1Password , KeepassXC , то пароли невозможно восстановить. Другое дело — встроенные парольные менеджеры браузеров Chrome и Firefox, для расшифровки которых есть специальные инструменты. Этот факт следует иметь в виду при хранении пользовательских данных — и не допускать, чтобы злоумышленник получил физический или удалённый доступ к компьютеру с правами пользователя. Примечание: перечисленные ниже инструменты не работают с последними версиями браузеров и приведены исключительно в информационно-образовательных целях.

    habr.com/ru/companies/globalsi

    #парольные_менеджеры #взлом_паролей #парольные_хранилища #PBKDF2 #SHA256 #Chrome #Firefox #AES #Triple_DES #Firefox_Passwords_Decryptor #Browser_Cookie #куки #SQLite #cookiejar #CryptProtectData #CryptUnprotectData

  13. Извлечение паролей из разных браузеров

    Если пользователь забыл мастер-пароль от парольного менеджера Bitwarden , 1Password , KeepassXC , то пароли невозможно восстановить. Другое дело — встроенные парольные менеджеры браузеров Chrome и Firefox, для расшифровки которых есть специальные инструменты. Этот факт следует иметь в виду при хранении пользовательских данных — и не допускать, чтобы злоумышленник получил физический или удалённый доступ к компьютеру с правами пользователя. Примечание: перечисленные ниже инструменты не работают с последними версиями браузеров и приведены исключительно в информационно-образовательных целях.

    habr.com/ru/companies/globalsi

    #парольные_менеджеры #взлом_паролей #парольные_хранилища #PBKDF2 #SHA256 #Chrome #Firefox #AES #Triple_DES #Firefox_Passwords_Decryptor #Browser_Cookie #куки #SQLite #cookiejar #CryptProtectData #CryptUnprotectData

  14. Извлечение паролей из разных браузеров

    Если пользователь забыл мастер-пароль от парольного менеджера Bitwarden , 1Password , KeepassXC , то пароли невозможно восстановить. Другое дело — встроенные парольные менеджеры браузеров Chrome и Firefox, для расшифровки которых есть специальные инструменты. Этот факт следует иметь в виду при хранении пользовательских данных — и не допускать, чтобы злоумышленник получил физический или удалённый доступ к компьютеру с правами пользователя. Примечание: перечисленные ниже инструменты не работают с последними версиями браузеров и приведены исключительно в информационно-образовательных целях.

    habr.com/ru/companies/globalsi

    #парольные_менеджеры #взлом_паролей #парольные_хранилища #PBKDF2 #SHA256 #Chrome #Firefox #AES #Triple_DES #Firefox_Passwords_Decryptor #Browser_Cookie #куки #SQLite #cookiejar #CryptProtectData #CryptUnprotectData

  15. Парольная защита статичной HTML-страницы на JS

    Обычно парольная защита производится через веб-сервер, который проверяет пароль и выдаёт контент. Стандартный способ: .htaccess и htpasswd . Но что, если нужно выложить зашифрованную веб-страницу и файлы на публичном хостинге, где у нас нет контроля над сервером? Эту проблему решают инструменты StatiCrypt и Portable Secret . Для шифрования HTML перед публикацией StatiCrypt использует AES-256 и WebCrypto, а расшифровка происходит с помощью ввода пароля в браузере на стороне клиента, как показано в демо (пароль test ). StatiCrypt генерирует статическую страницу, которую можно безопасно заливать на любой хостинг, в том числе бесплатный сторонний хостинг, такой как GitHub Pages.

    habr.com/ru/companies/globalsi

    #StatiCrypt #AES256 #WebCrypto #парольная_защита #PBKDF2 #Portable_Secret #шифрование_файлов

  16. Парольная защита статичной HTML-страницы на JS

    Обычно парольная защита производится через веб-сервер, который проверяет пароль и выдаёт контент. Стандартный способ: .htaccess и htpasswd . Но что, если нужно выложить зашифрованную веб-страницу и файлы на публичном хостинге, где у нас нет контроля над сервером? Эту проблему решают инструменты StatiCrypt и Portable Secret . Для шифрования HTML перед публикацией StatiCrypt использует AES-256 и WebCrypto, а расшифровка происходит с помощью ввода пароля в браузере на стороне клиента, как показано в демо (пароль test ). StatiCrypt генерирует статическую страницу, которую можно безопасно заливать на любой хостинг, в том числе бесплатный сторонний хостинг, такой как GitHub Pages.

    habr.com/ru/companies/globalsi

    #StatiCrypt #AES256 #WebCrypto #парольная_защита #PBKDF2 #Portable_Secret #шифрование_файлов

  17. Парольная защита статичной HTML-страницы на JS

    Обычно парольная защита производится через веб-сервер, который проверяет пароль и выдаёт контент. Стандартный способ: .htaccess и htpasswd . Но что, если нужно выложить зашифрованную веб-страницу и файлы на публичном хостинге, где у нас нет контроля над сервером? Эту проблему решают инструменты StatiCrypt и Portable Secret . Для шифрования HTML перед публикацией StatiCrypt использует AES-256 и WebCrypto, а расшифровка происходит с помощью ввода пароля в браузере на стороне клиента, как показано в демо (пароль test ). StatiCrypt генерирует статическую страницу, которую можно безопасно заливать на любой хостинг, в том числе бесплатный сторонний хостинг, такой как GitHub Pages.

    habr.com/ru/companies/globalsi

    #StatiCrypt #AES256 #WebCrypto #парольная_защита #PBKDF2 #Portable_Secret #шифрование_файлов

  18. Парольная защита статичной HTML-страницы на JS

    Обычно парольная защита производится через веб-сервер, который проверяет пароль и выдаёт контент. Стандартный способ: .htaccess и htpasswd . Но что, если нужно выложить зашифрованную веб-страницу и файлы на публичном хостинге, где у нас нет контроля над сервером? Эту проблему решают инструменты StatiCrypt и Portable Secret . Для шифрования HTML перед публикацией StatiCrypt использует AES-256 и WebCrypto, а расшифровка происходит с помощью ввода пароля в браузере на стороне клиента, как показано в демо (пароль test ). StatiCrypt генерирует статическую страницу, которую можно безопасно заливать на любой хостинг, в том числе бесплатный сторонний хостинг, такой как GitHub Pages.

    habr.com/ru/companies/globalsi

    #StatiCrypt #AES256 #WebCrypto #парольная_защита #PBKDF2 #Portable_Secret #шифрование_файлов

  19. Its been, I've lost count, 6 years? And still GRUB2 does not support while absolutely gets stomped .

    Effectively rendering with encrypted boot insecure on Linux (X86). While with u-boot on ARM you can use argon2

    I do not understand why this isn't like a high priority issues for GNU

  20. Musing about Password-Based Cryptography for the Government

    What would a modern NIST standard for password-based cryptography look like?

    Obviously, we have PBKDF2–which, if used with a FIPS-approved hash function, gives you a way to derive encryption keys and/or password validators from human-memorable secrets.

    However, PBKDF2 isn’t memory-hard.

    In 2012, several cryptographers initiated the Password Hashing Competition (PHC) to study the state-of-the-art for password-based cryptography at the time. Part of this motivation was that memory-hard hashing (first developed by Colin Percival in scrypt a few years prior) provided greater defense against the increasing parallelism of modern password cracking techniques.

    After a few years of cryptanalysis, the PHC selected an algorithm called Argon2, and gave special recognition to four other finalists.

    And, quote the NIST SP 800-63B:

    A memory-hard function SHOULD be used because it increases the cost of an attack.

    If you were expecting, “Nevermore,” you’re currently reading the wrong literary genre.

    “So, we’re done, right? Just use Argon2 and call it a day.”

    We did it! Yayyyyyyyy~

    Of course, it’s not that simple.

    (Artist source unknown, meme generated from imgflip)

    What is Argon2?

    Argon2 is defined in IETF RFC 9106. There are several variants of Argon2 that have subtly different security properties (Argon2d, Argon2i, Argon2id, Argon2ds — the latter one providing a property called cache-hardness. which Steve Thomas’s slide deck from BSidesLV 2022 explores in depth).

    Argon2id is the variant most of us settled on in 2024.

    Regardless of the variant used, the same underpinnings are used. From RFC 9106, section 3.2:

    Argon2 uses an internal compression function G with two 1024-byte inputs, a 1024-byte output, and an internal hash function H^x(), with x being its output length in bytes. Here, H^x() applied to string A is the BLAKE2b ([BLAKE2], Section 3.3) function, which takes (d,ll,kk=0,nn=x) as parameters, where d is A padded to a multiple of 128 bytes and ll is the length of d in bytes. The compression function G is based on its internal permutation. A variable-length hash function H’ built upon H is also used. G is described in Section 3.5, and H’ is described in Section 3.3.

    Bold text for emphasis.

    If you weren’t adept at playing Crypto Algorithm Bingo, it might be easy to miss the fact that BLAKE2b is NOT a cryptographic algorithm approved for use in FIPS validated modules.

    So, full stop, unless NIST and the US Department of Commerce turn over a new leaf and add BLAKE2 to the approved algorithms list for FIPS, this is a non-starter.

    Well, why not use yescrypt? Or scrypt for that matter?

    Yescrypt (and scrypt before it) are based on Salsa20/8. In fact, most of the time computing a KDF output with either algorithm is spent on Salsa20-encryption regions of memory.

    After all the computing resources are spent on Salsa20/8 and memory management, PBKDF2-SHA256 is used to compress the output to a fixed length. This is arguably complying with NIST’s requirements to use PBKDF2–albeit with an iteration count of 1 (so it’s just artificially sweetened HMAC, if we’re being honest with ourselves).

    How are systems complying today?

    I’ve heard a few conflicting stories over the years from folks that care a lot about FIPS (presumably because the US government is a significant chunk of their annual recurring revenue). It’s possible I’m misremembering what they said, so please take these secondhand anecdotes with an appropriate amount of salt.

    One person claimed that Scrypt is fine since “the last step is PBKDF2”, and if an auditor blinks, you allegedly just need to document all the Salsa20 stuff as “obfuscation” and PBKDF2 is what you’re really doing to comply.

    Another approach I heard was to run a memory-hard KDF in parallel with PBKDF2, then use HKDF to combine the two outputs.

    Between the two, I’m more likely to believe that an auditor would approve the latter HKDF-based design, but I’ve never worked at a NIST CMVP lab, so who knows?

    Unfortunately, NIST SP 800-63B has little to say about the specifics:

    Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack.

    I already said that PBKDF2 isn’t memory hard, so that’s useless here.

    The other example they gave, Balloon Hashing, is frankly a weird recommendation to make, given the lack of a stable reference implementation and how poorly specified it is.

    This is starting to look like a catch-22. Maybe we would be better off not supporting passwords anymore.

    But what if you can’t make that decision?

    What would a modern NIST standard for password-based cryptography even look like?

    Towards Gargon: Government-flavored Argon2

    Is that last question even answerable?

    I argue, “Probably yes.” From the introduction to RFC 9106:

    Argon2 is also a mode of operation over a fixed-input-length compression function G and a variable-input-length hash function H. Even though Argon2 can be potentially used with an arbitrary function H, as long as it provides outputs up to 64 bytes, the BLAKE2b function [BLAKE2] is used in this document.

    Clearly, the Argon2 RFC authors intended to allow the hash function be swapped out for another one.

    So can we just str_replace() BLAKE2b with SHA512 (or SHA3-512) and call our job done?

    No, that would be too easy.

    The internal compression function, G

    Argon2’s design involves computing the internal compression function, G, over regions of memory. The linked section of that version of RFC 9106 provides a good overview of the construction.

    • G is defined in terms of the permutation, P.
    • P is based on the round function of BLAKE2b.
    • The BLAKE2b round function is based on ChaCha, which is similar to Salsa20 (and designed by the same author), which we already established isn’t approved for FIPS.

    So if we’re going to invent a Government-tolerable variant of Argon2, we’ll need to be a bit more creative about our choice for G as well.

    More precisely, even if we keep the overall structure of G intact, we’ll need to define a FIPS-able permutation, P.

    The permutation, P, for building the internal compression function, G

    A reasonable person would assume we would need to pick a component from the hash function we’re building atop which has an increased circuit depth. After all, that’s what the Argon2 designers did:

    The modular additions in GB are combined with 64-bit multiplications. Multiplications are the only difference from the original BLAKE2b design. This choice is done to increase the circuit depth and thus the running time of ASIC implementations, while having roughly the same running time on CPUs thanks to parallelism and pipelining.

    RFC 9106

    And this is where reasonableness hits a wall. There are several directions that one could go to invent Government-tolerable Argon2.

    • The SHA-2 family compression function (i.e., , , , and ).
    • The basic block permutation function from SHA3 (i.e., , , , , and ).
    • Look elsewhere in the FIPS algorithm suite, such as AES (e.g., in Counter Mode, to exploit the hardware acceleration of AES in modern CPUs).

    Each of these ideas is terrible in their own way.

    The cryptanalysis results showing that the best attack against a full hash function costs 2 to some power queries don’t imply the security of each constituent component. So you’re really rolling the dice if you pursue this.

    AES might be okay, depending on how it’s constructed and used. But the devil’s always in the details.

    It’s starting to seem like Gargon’s possibility is fleeting, after all.

    Wouldn’t life be simpler if NIST just approved BLAKE2b and/or Argon2 for use in FIPS validated modules?

    Yes, life would be much simpler. NIST should do that.

    Unfortunately, until that day comes, there are yet more windmills that need tilting.

    https://scottarc.blog/2024/06/17/the-quest-for-the-gargon/

    #Argon2 #crypto #Cryptography #CryptographyStandards #cybersecurity #encryption #FIPS #NIST #passwordBasedCryptography #passwords #PBKDF2 #security

  21. Musing about Password-Based Cryptography for the Government

    What would a modern NIST standard for password-based cryptography look like?

    Obviously, we have PBKDF2–which, if used with a FIPS-approved hash function, gives you a way to derive encryption keys and/or password validators from human-memorable secrets.

    However, PBKDF2 isn’t memory-hard.

    In 2012, several cryptographers initiated the Password Hashing Competition (PHC) to study the state-of-the-art for password-based cryptography at the time. Part of this motivation was that memory-hard hashing (first developed by Colin Percival in scrypt a few years prior) provided greater defense against the increasing parallelism of modern password cracking techniques.

    After a few years of cryptanalysis, the PHC selected an algorithm called Argon2, and gave special recognition to four other finalists.

    And, quote the NIST SP 800-63B:

    A memory-hard function SHOULD be used because it increases the cost of an attack.

    If you were expecting, “Nevermore,” you’re currently reading the wrong literary genre.

    “So, we’re done, right? Just use Argon2 and call it a day.”

    We did it! Yayyyyyyyy~

    Of course, it’s not that simple.

    (Artist source unknown, meme generated from imgflip)

    What is Argon2?

    Argon2 is defined in IETF RFC 9106. There are several variants of Argon2 that have subtly different security properties (Argon2d, Argon2i, Argon2id, Argon2ds — the latter one providing a property called cache-hardness. which Steve Thomas’s slide deck from BSidesLV 2022 explores in depth).

    Argon2id is the variant most of us settled on in 2024.

    Regardless of the variant used, the same underpinnings are used. From RFC 9106, section 3.2:

    Argon2 uses an internal compression function G with two 1024-byte inputs, a 1024-byte output, and an internal hash function H^x(), with x being its output length in bytes. Here, H^x() applied to string A is the BLAKE2b ([BLAKE2], Section 3.3) function, which takes (d,ll,kk=0,nn=x) as parameters, where d is A padded to a multiple of 128 bytes and ll is the length of d in bytes. The compression function G is based on its internal permutation. A variable-length hash function H’ built upon H is also used. G is described in Section 3.5, and H’ is described in Section 3.3.

    Bold text for emphasis.

    If you weren’t adept at playing Crypto Algorithm Bingo, it might be easy to miss the fact that BLAKE2b is NOT a cryptographic algorithm approved for use in FIPS validated modules.

    So, full stop, unless NIST and the US Department of Commerce turn over a new leaf and add BLAKE2 to the approved algorithms list for FIPS, this is a non-starter.

    Well, why not use yescrypt? Or scrypt for that matter?

    Yescrypt (and scrypt before it) are based on Salsa20/8. In fact, most of the time computing a KDF output with either algorithm is spent on Salsa20-encryption regions of memory.

    After all the computing resources are spent on Salsa20/8 and memory management, PBKDF2-SHA256 is used to compress the output to a fixed length. This is arguably complying with NIST’s requirements to use PBKDF2–albeit with an iteration count of 1 (so it’s just artificially sweetened HMAC, if we’re being honest with ourselves).

    How are systems complying today?

    I’ve heard a few conflicting stories over the years from folks that care a lot about FIPS (presumably because the US government is a significant chunk of their annual recurring revenue). It’s possible I’m misremembering what they said, so please take these secondhand anecdotes with an appropriate amount of salt.

    One person claimed that Scrypt is fine since “the last step is PBKDF2”, and if an auditor blinks, you allegedly just need to document all the Salsa20 stuff as “obfuscation” and PBKDF2 is what you’re really doing to comply.

    Another approach I heard was to run a memory-hard KDF in parallel with PBKDF2, then use HKDF to combine the two outputs.

    Between the two, I’m more likely to believe that an auditor would approve the latter HKDF-based design, but I’ve never worked at a NIST CMVP lab, so who knows?

    Unfortunately, NIST SP 800-63B has little to say about the specifics:

    Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack.

    I already said that PBKDF2 isn’t memory hard, so that’s useless here.

    The other example they gave, Balloon Hashing, is frankly a weird recommendation to make, given the lack of a stable reference implementation and how poorly specified it is.

    This is starting to look like a catch-22. Maybe we would be better off not supporting passwords anymore.

    But what if you can’t make that decision?

    What would a modern NIST standard for password-based cryptography even look like?

    Towards Gargon: Government-flavored Argon2

    Is that last question even answerable?

    I argue, “Probably yes.” From the introduction to RFC 9106:

    Argon2 is also a mode of operation over a fixed-input-length compression function G and a variable-input-length hash function H. Even though Argon2 can be potentially used with an arbitrary function H, as long as it provides outputs up to 64 bytes, the BLAKE2b function [BLAKE2] is used in this document.

    Clearly, the Argon2 RFC authors intended to allow the hash function be swapped out for another one.

    So can we just str_replace() BLAKE2b with SHA512 (or SHA3-512) and call our job done?

    No, that would be too easy.

    The internal compression function, G

    Argon2’s design involves computing the internal compression function, G, over regions of memory. The linked section of that version of RFC 9106 provides a good overview of the construction.

    • G is defined in terms of the permutation, P.
    • P is based on the round function of BLAKE2b.
    • The BLAKE2b round function is based on ChaCha, which is similar to Salsa20 (and designed by the same author), which we already established isn’t approved for FIPS.

    So if we’re going to invent a Government-tolerable variant of Argon2, we’ll need to be a bit more creative about our choice for G as well.

    More precisely, even if we keep the overall structure of G intact, we’ll need to define a FIPS-able permutation, P.

    The permutation, P, for building the internal compression function, G

    A reasonable person would assume we would need to pick a component from the hash function we’re building atop which has an increased circuit depth. After all, that’s what the Argon2 designers did:

    The modular additions in GB are combined with 64-bit multiplications. Multiplications are the only difference from the original BLAKE2b design. This choice is done to increase the circuit depth and thus the running time of ASIC implementations, while having roughly the same running time on CPUs thanks to parallelism and pipelining.

    RFC 9106

    And this is where reasonableness hits a wall. There are several directions that one could go to invent Government-tolerable Argon2.

    • The SHA-2 family compression function (i.e., , , , and ).
    • The basic block permutation function from SHA3 (i.e., , , , , and ).
    • Look elsewhere in the FIPS algorithm suite, such as AES (e.g., in Counter Mode, to exploit the hardware acceleration of AES in modern CPUs).

    Each of these ideas is terrible in their own way.

    The cryptanalysis results showing that the best attack against a full hash function costs 2 to some power queries don’t imply the security of each constituent component. So you’re really rolling the dice if you pursue this.

    AES might be okay, depending on how it’s constructed and used. But the devil’s always in the details.

    It’s starting to seem like Gargon’s possibility is fleeting, after all.

    Wouldn’t life be simpler if NIST just approved BLAKE2b and/or Argon2 for use in FIPS validated modules?

    Yes, life would be much simpler. NIST should do that.

    Unfortunately, until that day comes, there are yet more windmills that need tilting.

    https://scottarc.blog/2024/06/17/the-quest-for-the-gargon/

    #Argon2 #crypto #Cryptography #CryptographyStandards #cybersecurity #encryption #FIPS #NIST #passwordBasedCryptography #passwords #PBKDF2 #security

  22. Musing about Password-Based Cryptography for the Government

    What would a modern NIST standard for password-based cryptography look like?

    Obviously, we have PBKDF2–which, if used with a FIPS-approved hash function, gives you a way to derive encryption keys and/or password validators from human-memorable secrets.

    However, PBKDF2 isn’t memory-hard.

    In 2012, several cryptographers initiated the Password Hashing Competition (PHC) to study the state-of-the-art for password-based cryptography at the time. Part of this motivation was that memory-hard hashing (first developed by Colin Percival in scrypt a few years prior) provided greater defense against the increasing parallelism of modern password cracking techniques.

    After a few years of cryptanalysis, the PHC selected an algorithm called Argon2, and gave special recognition to four other finalists.

    And, quote the NIST SP 800-63B:

    A memory-hard function SHOULD be used because it increases the cost of an attack.

    If you were expecting, “Nevermore,” you’re currently reading the wrong literary genre.

    “So, we’re done, right? Just use Argon2 and call it a day.”

    We did it! Yayyyyyyyy~

    Of course, it’s not that simple.

    (Artist source unknown, meme generated from imgflip)

    What is Argon2?

    Argon2 is defined in IETF RFC 9106. There are several variants of Argon2 that have subtly different security properties (Argon2d, Argon2i, Argon2id, Argon2ds — the latter one providing a property called cache-hardness. which Steve Thomas’s slide deck from BSidesLV 2022 explores in depth).

    Argon2id is the variant most of us settled on in 2024.

    Regardless of the variant used, the same underpinnings are used. From RFC 9106, section 3.2:

    Argon2 uses an internal compression function G with two 1024-byte inputs, a 1024-byte output, and an internal hash function H^x(), with x being its output length in bytes. Here, H^x() applied to string A is the BLAKE2b ([BLAKE2], Section 3.3) function, which takes (d,ll,kk=0,nn=x) as parameters, where d is A padded to a multiple of 128 bytes and ll is the length of d in bytes. The compression function G is based on its internal permutation. A variable-length hash function H’ built upon H is also used. G is described in Section 3.5, and H’ is described in Section 3.3.

    Bold text for emphasis.

    If you weren’t adept at playing Crypto Algorithm Bingo, it might be easy to miss the fact that BLAKE2b is NOT a cryptographic algorithm approved for use in FIPS validated modules.

    So, full stop, unless NIST and the US Department of Commerce turn over a new leaf and add BLAKE2 to the approved algorithms list for FIPS, this is a non-starter.

    Well, why not use yescrypt? Or scrypt for that matter?

    Yescrypt (and scrypt before it) are based on Salsa20/8. In fact, most of the time computing a KDF output with either algorithm is spent on Salsa20-encryption regions of memory.

    After all the computing resources are spent on Salsa20/8 and memory management, PBKDF2-SHA256 is used to compress the output to a fixed length. This is arguably complying with NIST’s requirements to use PBKDF2–albeit with an iteration count of 1 (so it’s just artificially sweetened HMAC, if we’re being honest with ourselves).

    How are systems complying today?

    I’ve heard a few conflicting stories over the years from folks that care a lot about FIPS (presumably because the US government is a significant chunk of their annual recurring revenue). It’s possible I’m misremembering what they said, so please take these secondhand anecdotes with an appropriate amount of salt.

    One person claimed that Scrypt is fine since “the last step is PBKDF2”, and if an auditor blinks, you allegedly just need to document all the Salsa20 stuff as “obfuscation” and PBKDF2 is what you’re really doing to comply.

    Another approach I heard was to run a memory-hard KDF in parallel with PBKDF2, then use HKDF to combine the two outputs.

    Between the two, I’m more likely to believe that an auditor would approve the latter HKDF-based design, but I’ve never worked at a NIST CMVP lab, so who knows?

    Unfortunately, NIST SP 800-63B has little to say about the specifics:

    Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack.

    I already said that PBKDF2 isn’t memory hard, so that’s useless here.

    The other example they gave, Balloon Hashing, is frankly a weird recommendation to make, given the lack of a stable reference implementation and how poorly specified it is.

    This is starting to look like a catch-22. Maybe we would be better off not supporting passwords anymore.

    But what if you can’t make that decision?

    What would a modern NIST standard for password-based cryptography even look like?

    Towards Gargon: Government-flavored Argon2

    Is that last question even answerable?

    I argue, “Probably yes.” From the introduction to RFC 9106:

    Argon2 is also a mode of operation over a fixed-input-length compression function G and a variable-input-length hash function H. Even though Argon2 can be potentially used with an arbitrary function H, as long as it provides outputs up to 64 bytes, the BLAKE2b function [BLAKE2] is used in this document.

    Clearly, the Argon2 RFC authors intended to allow the hash function be swapped out for another one.

    So can we just str_replace() BLAKE2b with SHA512 (or SHA3-512) and call our job done?

    No, that would be too easy.

    The internal compression function, G

    Argon2’s design involves computing the internal compression function, G, over regions of memory. The linked section of that version of RFC 9106 provides a good overview of the construction.

    • G is defined in terms of the permutation, P.
    • P is based on the round function of BLAKE2b.
    • The BLAKE2b round function is based on ChaCha, which is similar to Salsa20 (and designed by the same author), which we already established isn’t approved for FIPS.

    So if we’re going to invent a Government-tolerable variant of Argon2, we’ll need to be a bit more creative about our choice for G as well.

    More precisely, even if we keep the overall structure of G intact, we’ll need to define a FIPS-able permutation, P.

    The permutation, P, for building the internal compression function, G

    A reasonable person would assume we would need to pick a component from the hash function we’re building atop which has an increased circuit depth. After all, that’s what the Argon2 designers did:

    The modular additions in GB are combined with 64-bit multiplications. Multiplications are the only difference from the original BLAKE2b design. This choice is done to increase the circuit depth and thus the running time of ASIC implementations, while having roughly the same running time on CPUs thanks to parallelism and pipelining.

    RFC 9106

    And this is where reasonableness hits a wall. There are several directions that one could go to invent Government-tolerable Argon2.

    • The SHA-2 family compression function (i.e., , , , and ).
    • The basic block permutation function from SHA3 (i.e., , , , , and ).
    • Look elsewhere in the FIPS algorithm suite, such as AES (e.g., in Counter Mode, to exploit the hardware acceleration of AES in modern CPUs).

    Each of these ideas is terrible in their own way.

    The cryptanalysis results showing that the best attack against a full hash function costs 2 to some power queries don’t imply the security of each constituent component. So you’re really rolling the dice if you pursue this.

    AES might be okay, depending on how it’s constructed and used. But the devil’s always in the details.

    It’s starting to seem like Gargon’s possibility is fleeting, after all.

    Wouldn’t life be simpler if NIST just approved BLAKE2b and/or Argon2 for use in FIPS validated modules?

    Yes, life would be much simpler. NIST should do that.

    Unfortunately, until that day comes, there are yet more windmills that need tilting.

    https://scottarc.blog/2024/06/17/the-quest-for-the-gargon/

    #Argon2 #crypto #Cryptography #CryptographyStandards #cybersecurity #encryption #FIPS #NIST #passwordBasedCryptography #passwords #PBKDF2 #security

  23. Musing about Password-Based Cryptography for the Government

    What would a modern NIST standard for password-based cryptography look like?

    Obviously, we have PBKDF2–which, if used with a FIPS-approved hash function, gives you a way to derive encryption keys and/or password validators from human-memorable secrets.

    However, PBKDF2 isn’t memory-hard.

    In 2012, several cryptographers initiated the Password Hashing Competition (PHC) to study the state-of-the-art for password-based cryptography at the time. Part of this motivation was that memory-hard hashing (first developed by Colin Percival in scrypt a few years prior) provided greater defense against the increasing parallelism of modern password cracking techniques.

    After a few years of cryptanalysis, the PHC selected an algorithm called Argon2, and gave special recognition to four other finalists.

    And, quote the NIST SP 800-63B:

    A memory-hard function SHOULD be used because it increases the cost of an attack.

    If you were expecting, “Nevermore,” you’re currently reading the wrong literary genre.

    “So, we’re done, right? Just use Argon2 and call it a day.”

    We did it! Yayyyyyyyy~

    Of course, it’s not that simple.

    (Artist source unknown, meme generated from imgflip)

    What is Argon2?

    Argon2 is defined in IETF RFC 9106. There are several variants of Argon2 that have subtly different security properties (Argon2d, Argon2i, Argon2id, Argon2ds — the latter one providing a property called cache-hardness. which Steve Thomas’s slide deck from BSidesLV 2022 explores in depth).

    Argon2id is the variant most of us settled on in 2024.

    Regardless of the variant used, the same underpinnings are used. From RFC 9106, section 3.2:

    Argon2 uses an internal compression function G with two 1024-byte inputs, a 1024-byte output, and an internal hash function H^x(), with x being its output length in bytes. Here, H^x() applied to string A is the BLAKE2b ([BLAKE2], Section 3.3) function, which takes (d,ll,kk=0,nn=x) as parameters, where d is A padded to a multiple of 128 bytes and ll is the length of d in bytes. The compression function G is based on its internal permutation. A variable-length hash function H’ built upon H is also used. G is described in Section 3.5, and H’ is described in Section 3.3.

    Bold text for emphasis.

    If you weren’t adept at playing Crypto Algorithm Bingo, it might be easy to miss the fact that BLAKE2b is NOT a cryptographic algorithm approved for use in FIPS validated modules.

    So, full stop, unless NIST and the US Department of Commerce turn over a new leaf and add BLAKE2 to the approved algorithms list for FIPS, this is a non-starter.

    Well, why not use yescrypt? Or scrypt for that matter?

    Yescrypt (and scrypt before it) are based on Salsa20/8. In fact, most of the time computing a KDF output with either algorithm is spent on Salsa20-encryption regions of memory.

    After all the computing resources are spent on Salsa20/8 and memory management, PBKDF2-SHA256 is used to compress the output to a fixed length. This is arguably complying with NIST’s requirements to use PBKDF2–albeit with an iteration count of 1 (so it’s just artificially sweetened HMAC, if we’re being honest with ourselves).

    How are systems complying today?

    I’ve heard a few conflicting stories over the years from folks that care a lot about FIPS (presumably because the US government is a significant chunk of their annual recurring revenue). It’s possible I’m misremembering what they said, so please take these secondhand anecdotes with an appropriate amount of salt.

    One person claimed that Scrypt is fine since “the last step is PBKDF2”, and if an auditor blinks, you allegedly just need to document all the Salsa20 stuff as “obfuscation” and PBKDF2 is what you’re really doing to comply.

    Another approach I heard was to run a memory-hard KDF in parallel with PBKDF2, then use HKDF to combine the two outputs.

    Between the two, I’m more likely to believe that an auditor would approve the latter HKDF-based design, but I’ve never worked at a NIST CMVP lab, so who knows?

    Unfortunately, NIST SP 800-63B has little to say about the specifics:

    Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack.

    I already said that PBKDF2 isn’t memory hard, so that’s useless here.

    The other example they gave, Balloon Hashing, is frankly a weird recommendation to make, given the lack of a stable reference implementation and how poorly specified it is.

    This is starting to look like a catch-22. Maybe we would be better off not supporting passwords anymore.

    But what if you can’t make that decision?

    What would a modern NIST standard for password-based cryptography even look like?

    Towards Gargon: Government-flavored Argon2

    Is that last question even answerable?

    I argue, “Probably yes.” From the introduction to RFC 9106:

    Argon2 is also a mode of operation over a fixed-input-length compression function G and a variable-input-length hash function H. Even though Argon2 can be potentially used with an arbitrary function H, as long as it provides outputs up to 64 bytes, the BLAKE2b function [BLAKE2] is used in this document.

    Clearly, the Argon2 RFC authors intended to allow the hash function be swapped out for another one.

    So can we just str_replace() BLAKE2b with SHA512 (or SHA3-512) and call our job done?

    No, that would be too easy.

    The internal compression function, G

    Argon2’s design involves computing the internal compression function, G, over regions of memory. The linked section of that version of RFC 9106 provides a good overview of the construction.

    • G is defined in terms of the permutation, P.
    • P is based on the round function of BLAKE2b.
    • The BLAKE2b round function is based on ChaCha, which is similar to Salsa20 (and designed by the same author), which we already established isn’t approved for FIPS.

    So if we’re going to invent a Government-tolerable variant of Argon2, we’ll need to be a bit more creative about our choice for G as well.

    More precisely, even if we keep the overall structure of G intact, we’ll need to define a FIPS-able permutation, P.

    The permutation, P, for building the internal compression function, G

    A reasonable person would assume we would need to pick a component from the hash function we’re building atop which has an increased circuit depth. After all, that’s what the Argon2 designers did:

    The modular additions in GB are combined with 64-bit multiplications. Multiplications are the only difference from the original BLAKE2b design. This choice is done to increase the circuit depth and thus the running time of ASIC implementations, while having roughly the same running time on CPUs thanks to parallelism and pipelining.

    RFC 9106

    And this is where reasonableness hits a wall. There are several directions that one could go to invent Government-tolerable Argon2.

    • The SHA-2 family compression function (i.e., , , , and ).
    • The basic block permutation function from SHA3 (i.e., , , , , and ).
    • Look elsewhere in the FIPS algorithm suite, such as AES (e.g., in Counter Mode, to exploit the hardware acceleration of AES in modern CPUs).

    Each of these ideas is terrible in their own way.

    The cryptanalysis results showing that the best attack against a full hash function costs 2 to some power queries don’t imply the security of each constituent component. So you’re really rolling the dice if you pursue this.

    AES might be okay, depending on how it’s constructed and used. But the devil’s always in the details.

    It’s starting to seem like Gargon’s possibility is fleeting, after all.

    Wouldn’t life be simpler if NIST just approved BLAKE2b and/or Argon2 for use in FIPS validated modules?

    Yes, life would be much simpler. NIST should do that.

    Unfortunately, until that day comes, there are yet more windmills that need tilting.

    https://scottarc.blog/2024/06/17/the-quest-for-the-gargon/

    #Argon2 #crypto #Cryptography #CryptographyStandards #cybersecurity #encryption #FIPS #NIST #passwordBasedCryptography #passwords #PBKDF2 #security

  24. With syncthing the encryption is realized using Xchachapoly aes-siv and is used for primary key derivation. this makes it robust against even state based attackers unlike

  25. "Since the time PBKDF2 was designed, we’ve seen the rise of powerful GPUs become common place. To defend against this rising onslaught of GPU hashing power is a relatively new algorithm, argon2."

    blog.dataparty.xyz/blog/wtf-is

    #cryptography #argon2 #pbkdf2

  26. LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates

    Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen.

    heise.de/news/Alte-LUKS-Contai

    #Argon #LUKS #Linux #PBKDF2 #Security #Verschlüsselung #cryptsetup

  27. CW: CW Linux & Verschlüsselung (Nerdkram)

    Wenn jemand ein Linux-System mit LUKS verschlüsselt betreibt, könnte es sein, dass eine zu schwache (und veraltete) Key Derivation Function verwendet wird - vor allem, wenn die Installation schon etwas her ist.

    Hier gibt's mehr Informationen und auch eine (von mir erfolgreich getestete) Anleitung zum Aktualisieren der LUKS-Einstellungen von @mjg59:
    mjg59.dreamwidth.org/66429.htm

    #linux #luks #verschluesselung #encryption #pbkdf2 #argon2id

  28. Changing years and years of passwords, still. Thank you so much #LastPass the "No. 1 password manager" and this #Breach

    You had one job

    At sign-in. Advise that the password might be too weak. Not everyone looks security news. Password from 2013 doesn't cut it today. Also, why not increasing #PBKDF2 iterations at login?

    My wife had 500

    Also do what you were doing with the main password, do more #PBKDF2 password iterations. The vault data is as important as the result of the password hashing

  29. @epixoip I would also recommend increasing the #pbkdf2 rounds of #bitwarden as they have just 100000 as a default, which is the absolute acceptable minimum. And older accounts have just 5000 rounds. As the computing power is no problem on my devices, I’ve set it to 2 million iterations.

  30. Many of you have been asking for my thoughts on the #LastPass breach, and I apologize that I'm a couple days late delivering.

    Apart from all of the other commentary out there, here's what you need to know from a #password cracker's perspective!

    Your vault is encrypted with #AES256 using a key that is derived from your master password, which is hashed using a minimum of 100,100 rounds of PBKDF2-HMAC-SHA256 (can be configured to use more rounds, but most people don't). #PBKDF2 is the minimum acceptable standard in key derivation functions (KDFs); it is compute-hard only and fits entirely within registers, so it is highly amenable to acceleration. However, it is the only #KDF that is FIPS/NIST approved, so it's the best (or only) KDF available to many applications. So while there are LOTS of things wrong with LastPass, key derivation isn't necessarily one of them.

    Using #Hashcat with the top-of-the-line RTX 4090, you can crack PBKDF2-HMAC-SHA256 with 100,100 rounds at about 88 KH/s. At this speed an attacker could test ~7.6 billion passwords per day, which may sound like a lot, but it really isn't. By comparison, the same GPU can test Windows NT hashes at a rate of 288.5 GH/s, or ~25 quadrillion passwords per day. So while LastPass's hashing is nearly two orders of magnitude faster than the < 10 KH/s that I recommend, it's still more than 3 million times slower than cracking Windows/Active Directory passwords. In practice, it would take you about 3.25 hours to run through rockyou.txt + best64.rule, and a little under two months to exhaust rockyou.txt + rockyou-30000.rule.

    Keep in mind these are the speeds for cracking a single vault; for an attacker to achieve this speed, they would have to single out your vault and dedicate their resources to cracking only your vault. If they're trying 1,000 vaults simultaneously, the speed would drop to just 88 H/s. With 1 million vaults, the speed drops to an abysmal 0.088 H/s, or 11.4 seconds to test just one password. Practically speaking, what this means is the attackers will target four groups of users:

    1. users for which they have previously-compromised passwords (password reuse, credential stuffing)
    2. users with laughably weak master passwords (think top20k)
    3. users they can phish
    4. high value targets (celebs, .gov, .mil, fortune 100)

    If you are not in this list / you don't get phished, then it is highly unlikely your vault will be targeted. And due to the fairly expensive KDF, even passwords of moderate complexity should be safe.

    I've seen several people recommend changing your master password as a mitigation for this breach. While changing your master password will help mitigate future breaches should you continue to use LastPass (you shouldn't), it does literally nothing to mitigate this current breach. The attacker has your vault, which was encrypted using a key derived from your master password. That's done, that's in the past. Changing your password will re-encrypt your vault with the new password, but of course it won't re-encrypt the copy of the vault the attacker has with your new password. That would be impossible unless you somehow had access to the attacker's copy of the vault, which if you do, please let me know?

    A proper mitigation would be to migrate to #Bitwarden or #1Password, change the passwords for each of your accounts as you migrate over, and also review the MFA status of each of your accounts as well. The perfect way to spend your holiday vacation! Start the new year fresh with proper password hygiene.

    For more password insights like this, give me a follow!

  31. I published an article on the #LastPassBreach: palant.info/2022/12/23/lastpas

    This is very serious, no matter what #LastPass says. From the article:

    “This makes it sound like decrypting the passwords you stored with LastPass is impossible. It also prepares the ground for blaming you, should the passwords be decrypted after all: you clearly didn’t follow the recommendations. Fact is however: decrypting passwords is expensive but it is well within reach. And you need to be concerned.”

    Another conclusion from this article: #PBKDF2 is dead. Yes, you have that officially from me. If you still use it, feel free to go and fix that now.

  32. is a very fast implementation.

    fastpbkdf2 implements PBKDF2-HMAC for the SHA1, SHA256, and SHA512 hashing algorithms. fastpbkdf2 uses several optimizations to improve its speed over 's PBKDF2 while retaining probable security. In certain cases fastpbkdf2 can be over six times as fast as OpenSSL's equivalent implementation.

    Website 🔗️: github.com/ctz/fastpbkdf2