cyrtophora

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README

commit be7ab1380c0d7752456acb226439c1c15404c351
parent 634fa38290b8842d32d9ce5fd2b3028cb326126c
Author: Jackson G. Kaindume <seestem@merely.tech>
Date:   Sun, 14 Aug 2022 20:13:49 +0200

[doc] add docs about password hashing

Diffstat:
Adoc/password-hashing.md | 67+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Adoc/style.css | 202+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 269 insertions(+), 0 deletions(-)

diff --git a/doc/password-hashing.md b/doc/password-hashing.md @@ -0,0 +1,67 @@ +# Password Hashing + +It is only a matter of time until your server gets hacked, and +when that happens you don't want the users passwords to be leaked -- +this will allow the attacker to gain access to the users resources. +Some users also use the same password across many services, your +web-server can be the root cause of a chain of breaches. + +A cool way to prevent this type of leak is by __obfuscating__ the +users password with a [__hash function__](https://en.wikipedia.org/wiki/Hash_function). + +There are lots of hash functions that can be used, but most of these +are not recommended. For example if you use SHA-256 or other +computationally cheap (hash function without a __work factor__ +parameter) functions, they are vulnerable to dictionary attacks. +Bruteforce is also possible if the password length is short/known, +asic miners can generate 100 TeraHashes PER Second. + +The server can increase the passwords entropy by concatenating it with +a random string. Users can also protect themselves by using longer +passwords. + +The best method to use against plaintext password leaks and dictionary +attacks is to use a __Password Hash Function__. Which is a hash +function specially designed to be slow/expensive to compute which +makes it impossible to bruteforce with current machines. + +## Scrypt [recommended] + +The [scrypt](https://en.wikipedia.org/wiki/Scrypt) hash function uses large amounts of memory when hashing +making it expensive to scale to the point of reasonable bruteforce +attacks. + +A number of cryptocurrencies use __scrypt__ for proof of work. + +Created by Colin Percival of [Tarsnap](https://en.wikipedia.org/wiki/Tarsnap) + +## Argon2d [recommended] + +The [Argon2d](https://en.wikipedia.org/wiki/Argon2) function is +designed to resist GPU cracking attacks. + +It is the winner of [Password Hashing Competition](https://www.password-hashing.net/). + +## Bcrypt + +[Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) is based on the +[blowfish](https://en.wikipedia.org/wiki/Blowfish_(cipher)) cipher. + +## PBKDF2 + +[PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) is an key derivation +function with a sliding computational cost to reduce bruteforce +search. + + +## Conclusion + +A cool way to prevent password leaks is by __obfuscating__ them +with a password hash functions which offer additional security +against bruteforce from specialliazed hardware such as asics. If +password hash functions are used and implemented correctly even the +administrators of the server will not be able to read the users +passwords especially if the server is open source and the users can +audit the code for themselves. + +I recommend either of Scrypt or Argon2d for password hashing. diff --git a/doc/style.css b/doc/style.css @@ -0,0 +1,202 @@ + +html { + line-height: 1.5; + font-family: Georgia, serif; + font-size: 20px; + color: #ffffff; + background-color: #222D31 ; +} +body { + margin: 0 auto; + max-width: 36em; + padding-left: 50px; + padding-right: 50px; + padding-top: 0px; + margin-top: 0px; + padding-bottom: 50px; + hyphens: auto; + word-wrap: break-word; + text-rendering: optimizeLegibility; + font-kerning: normal; +} + +@media (max-width: 600px) { + body { + font-size: 0.9em; + padding: 1em; + } +} +@media print { + body { + background-color: transparent; + color: black; + font-size: 12pt; + } + p, h2, h3 { + orphans: 3; + widows: 3; + } + h2, h3, h4 { + page-break-after: avoid; + } + #TOC{ + position: relative !important; + width: inherit; + height: inherit; + border: none; + } +} +p { + margin: 1em 0; +} +a { + color: cyan; +} +a:visited { + color: cyan; +} +img { + max-width: 100%; +} +h1, h2, h3, h4, h5, h6 { + margin-top: 1.4em; + color: cyan; +} +h5, h6 { + font-size: 1em; + font-style: italic; +} +h6 { + font-weight: normal; +} +ol, ul { + padding-left: 1.7em; + margin-top: 1em; +} +li > ol, li > ul { + margin-top: 0; +} +blockquote { + margin: 1em 0 1em 1.7em; + padding-left: 1em; + border-left: 2px solid #e6e6e6; + color: #606060; +} +code { + font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace; + font-size: 85%; + margin: 0; +} +pre { + margin: 1em 0; + overflow: auto; +} +pre code { + padding: 0; + overflow: visible; +} +.sourceCode { + background-color: transparent; + overflow: visible; +} + +hr { + background-color: cyan; + border: none; + height: 2px; + margin: 4em 0; +} +table { + margin: 1em 0; + border-collapse: collapse; + width: 100%; + overflow-x: auto; + display: block; + font-variant-numeric: lining-nums tabular-nums; +} +table caption { + margin-bottom: 0.75em; +} +tbody { + margin-top: 0.5em; + border-top: 1px solid cyan; + border-bottom: 1px solid cyan; +} +th { + border-top: 1px solid cyan; + padding: 0.25em 0.5em 0.25em 0.5em; +} +td { + padding: 0.125em 0.5em 0.25em 0.5em; +} +header { + margin-bottom: 4em; + text-align: center; +} + +#TOC{ + position: fixed; + width: 20vw; + height: 100vh; + left: 0; + top: 0; + border-right: thin solid cyan; + padding-left: 1em; + overflow: auto; +} + +#TOC ul { + padding-left: .5em; +} + +#TOC li { + list-style: circle; + width: 100% +} + +#TOC a:not(:hover) { + text-decoration: none; +} + +pre{ + border: thin solid cyan; + padding: 1em; + font-family: monospace !Important; + font-size: 18px; +} + +blockquote{ + border-left: 2px solid cyan; + color: #7E807E; +} + +@media only screen and (max-width: 1300px) { + #TOC{ + position: relative !important; + width: inherit; + height: inherit; + border: none; + } + + pre{ + font-size: 16px; + } +} + +@media only screen and (max-width: 480px) { + pre{ + font-size: 12px; + } +} + +@media only screen and (max-width: 370px) { + pre{ + font-size: 10px; + } +} + +@media only screen and (max-width: 300px) { + pre{ + font-size: 7px; + } +}