You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I only briefly looked at the code after seeing it on lobste.rs, but it appears that this uses HMAC with a passphrase as the key directly.
If you can get a user to register for 1 website, an attacker can then brute-force HMAC key, and compute the password for all other websites.
Having a human-memorizable passphrase used directly as an hmac key is not secure. If you want to continue on this approach, you must use some kind of password-based key derivation function, such as scrypt.
The text was updated successfully, but these errors were encountered:
I only briefly looked at the code after seeing it on lobste.rs, but it appears that this uses HMAC with a passphrase as the key directly.
If you can get a user to register for 1 website, an attacker can then brute-force HMAC key, and compute the password for all other websites.
Having a human-memorizable passphrase used directly as an hmac key is not secure. If you want to continue on this approach, you must use some kind of password-based key derivation function, such as scrypt.
The text was updated successfully, but these errors were encountered: