[doc] add docs about password hashing - cyrtophora - Unnamed repository; edit this file 'description' to name the repository.

commit be7ab1380c0d7752456acb226439c1c15404c351
parent 634fa38290b8842d32d9ce5fd2b3028cb326126c
Author: Jackson G. Kaindume <seestem@merely.tech>
Date:   Sun, 14 Aug 2022 20:13:49 +0200

[doc] add docs about password hashing

Diffstat:
A doc/password-hashing.md  | 67 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A doc/style.css  | 202 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2 files changed, 269 insertions(+), 0 deletions(-)
diff --git a/doc/password-hashing.md b/doc/password-hashing.md
@@ -0,0 +1,67 @@
+# Password Hashing
+
+It is only a matter of time until your server gets hacked, and
+when that happens you don't want the users passwords to be leaked --
+this will allow the attacker to gain access to the users resources.
+Some users also use the same password across many services, your 
+web-server can be the root cause of a chain of breaches.
+
+A cool way to prevent this type of leak is by __obfuscating__ the 
+users password with a [__hash function__](https://en.wikipedia.org/wiki/Hash_function).
+
+There are lots of hash functions that can be used, but most of these 
+are not recommended. For example if you use SHA-256 or other 
+computationally cheap (hash function without a __work factor__ 
+parameter) functions, they are vulnerable to dictionary attacks.
+Bruteforce is also possible if the password length is short/known, 
+asic miners can generate 100 TeraHashes PER Second.
+
+The server can increase the passwords entropy by concatenating it with
+a random string. Users can also protect themselves by using longer 
+passwords.
+
+The best method to use against plaintext password leaks and dictionary
+attacks is to use a __Password Hash Function__. Which is a hash 
+function specially designed to be slow/expensive to compute which 
+makes it impossible to bruteforce with current machines.
+
+## Scrypt [recommended]
+
+The [scrypt](https://en.wikipedia.org/wiki/Scrypt) hash function uses large amounts of memory when hashing 
+making it expensive to scale to the point of reasonable bruteforce 
+attacks.
+
+A number of cryptocurrencies use __scrypt__ for proof of work.
+
+Created by Colin Percival of [Tarsnap](https://en.wikipedia.org/wiki/Tarsnap)
+
+## Argon2d [recommended]
+
+The [Argon2d](https://en.wikipedia.org/wiki/Argon2) function is 
+designed to resist GPU cracking attacks.
+
+It is the winner of [Password Hashing Competition](https://www.password-hashing.net/).
+
+## Bcrypt
+
+[Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) is based on the 
+[blowfish](https://en.wikipedia.org/wiki/Blowfish_(cipher)) cipher.
+
+## PBKDF2
+
+[PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) is an key derivation
+function with a sliding computational cost to reduce bruteforce 
+search.
+
+
+## Conclusion
+
+A cool way to prevent password leaks is by __obfuscating__ them
+with a password hash functions which offer additional security 
+against bruteforce from specialliazed hardware such as asics. If 
+password hash functions are used and implemented correctly even the 
+administrators of the server will not be able to read the users 
+passwords especially if the server is open source and the users can
+audit the code for themselves.
+
+I recommend either of Scrypt or Argon2d for password hashing.
diff --git a/doc/style.css b/doc/style.css
@@ -0,0 +1,202 @@
+
+html {
+    line-height: 1.5;
+    font-family: Georgia, serif;
+    font-size: 20px;
+    color: #ffffff;
+    background-color: #222D31 ;
+}
+body {
+    margin: 0 auto;
+    max-width: 36em;
+    padding-left: 50px;
+    padding-right: 50px;
+    padding-top: 0px;
+    margin-top: 0px;
+    padding-bottom: 50px;
+    hyphens: auto;
+    word-wrap: break-word;
+    text-rendering: optimizeLegibility;
+    font-kerning: normal;
+}
+
+@media (max-width: 600px) {
+    body {
+        font-size: 0.9em;
+        padding: 1em;
+    }
+}
+@media print {
+    body {
+        background-color: transparent;
+        color: black;
+        font-size: 12pt;
+    }
+    p, h2, h3 {
+        orphans: 3;
+        widows: 3;
+    }
+    h2, h3, h4 {
+        page-break-after: avoid;
+    }
+    #TOC{
+	position: relative !important;
+	width: inherit;
+	height: inherit;
+	border: none;	
+    }
+}
+p {
+    margin: 1em 0;
+}
+a {
+    color: cyan;
+}
+a:visited {
+    color: cyan;
+}
+img {
+    max-width: 100%;
+}
+h1, h2, h3, h4, h5, h6 {
+    margin-top: 1.4em;
+    color: cyan;
+}
+h5, h6 {
+    font-size: 1em;
+    font-style: italic;
+}
+h6 {
+    font-weight: normal;
+}
+ol, ul {
+    padding-left: 1.7em;
+    margin-top: 1em;
+}
+li > ol, li > ul {
+    margin-top: 0;
+}
+blockquote {
+    margin: 1em 0 1em 1.7em;
+    padding-left: 1em;
+    border-left: 2px solid #e6e6e6;
+    color: #606060;
+}
+code {
+    font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace;
+    font-size: 85%;
+    margin: 0;
+}
+pre {
+    margin: 1em 0;
+    overflow: auto;
+}
+pre code {
+    padding: 0;
+    overflow: visible;
+}
+.sourceCode {
+    background-color: transparent;
+    overflow: visible;
+}
+
+hr {
+    background-color: cyan;
+    border: none;
+    height: 2px;
+    margin: 4em 0;
+}
+table {
+    margin: 1em 0;
+    border-collapse: collapse;
+    width: 100%;
+    overflow-x: auto;
+    display: block;
+    font-variant-numeric: lining-nums tabular-nums;
+}
+table caption {
+    margin-bottom: 0.75em;
+}
+tbody {
+    margin-top: 0.5em;
+    border-top: 1px solid cyan;
+    border-bottom: 1px solid cyan;
+}
+th {
+    border-top: 1px solid cyan;
+    padding: 0.25em 0.5em 0.25em 0.5em;
+}
+td {
+    padding: 0.125em 0.5em 0.25em 0.5em;
+}
+header {
+    margin-bottom: 4em;
+    text-align: center;
+}
+
+#TOC{
+    position: fixed;
+    width: 20vw;
+    height: 100vh;
+    left: 0;
+    top: 0;
+    border-right: thin solid cyan;
+    padding-left: 1em;
+    overflow: auto;
+}
+
+#TOC ul {
+    padding-left: .5em;
+}
+
+#TOC li {
+    list-style: circle;
+    width: 100%
+}
+
+#TOC a:not(:hover) {
+    text-decoration: none;
+}
+
+pre{
+    border: thin solid cyan;
+    padding: 1em;
+    font-family: monospace !Important;
+    font-size: 18px;
+}
+
+blockquote{
+    border-left: 2px solid cyan;
+    color: #7E807E;
+}
+
+@media only screen and (max-width: 1300px) {
+    #TOC{	
+	position: relative !important;
+	width: inherit;
+	height: inherit;
+	border: none;
+    }
+
+    pre{
+	font-size: 16px;
+    }
+}
+
+@media only screen and (max-width: 480px) {
+    pre{
+	font-size: 12px;
+    }
+}
+
+@media only screen and (max-width: 370px) {
+    pre{
+	font-size: 10px;
+    }
+}
+
+@media only screen and (max-width: 300px) {
+    pre{
+	font-size: 7px;
+    }
+}

	cyrtophora Unnamed repository; edit this file 'description' to name the repository.
	Log \| Files \| Refs \| README

A	doc/password-hashing.md	\|	67	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A	doc/style.css	\|	202	+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++