Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue: using HMAC on the passphrase directly is brute-forcable #1

Open
mcpherrinm opened this issue Jun 4, 2020 · 1 comment
Open

Security issue: using HMAC on the passphrase directly is brute-forcable #1

mcpherrinm opened this issue Jun 4, 2020 · 1 comment
Assignees
@sepisoad
Labels
enhancement New feature or request security security issues

Comments

@mcpherrinm
Copy link

I only briefly looked at the code after seeing it on lobste.rs, but it appears that this uses HMAC with a passphrase as the key directly.

If you can get a user to register for 1 website, an attacker can then brute-force HMAC key, and compute the password for all other websites.

Having a human-memorizable passphrase used directly as an hmac key is not secure. If you want to continue on this approach, you must use some kind of password-based key derivation function, such as scrypt.
@sepisoad
Copy link
Owner

sepisoad commented Jun 4, 2020

thanks for your advice, I will definitely take it into account

@sepisoad sepisoad self-assigned this Jun 4, 2020
@sepisoad sepisoad added enhancement New feature or request security security issues labels Jun 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sepisoad sepisoad

Labels
enhancement New feature or request security security issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcpherrinm @sepisoad