commit be7ab1380c0d7752456acb226439c1c15404c351
parent 634fa38290b8842d32d9ce5fd2b3028cb326126c
Author: Jackson G. Kaindume <seestem@merely.tech>
Date: Sun, 14 Aug 2022 20:13:49 +0200
[doc] add docs about password hashing
Diffstat:
A | doc/password-hashing.md | | | 67 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
A | doc/style.css | | | 202 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
2 files changed, 269 insertions(+), 0 deletions(-)
diff --git a/doc/password-hashing.md b/doc/password-hashing.md
@@ -0,0 +1,67 @@
+# Password Hashing
+
+It is only a matter of time until your server gets hacked, and
+when that happens you don't want the users passwords to be leaked --
+this will allow the attacker to gain access to the users resources.
+Some users also use the same password across many services, your
+web-server can be the root cause of a chain of breaches.
+
+A cool way to prevent this type of leak is by __obfuscating__ the
+users password with a [__hash function__](https://en.wikipedia.org/wiki/Hash_function).
+
+There are lots of hash functions that can be used, but most of these
+are not recommended. For example if you use SHA-256 or other
+computationally cheap (hash function without a __work factor__
+parameter) functions, they are vulnerable to dictionary attacks.
+Bruteforce is also possible if the password length is short/known,
+asic miners can generate 100 TeraHashes PER Second.
+
+The server can increase the passwords entropy by concatenating it with
+a random string. Users can also protect themselves by using longer
+passwords.
+
+The best method to use against plaintext password leaks and dictionary
+attacks is to use a __Password Hash Function__. Which is a hash
+function specially designed to be slow/expensive to compute which
+makes it impossible to bruteforce with current machines.
+
+## Scrypt [recommended]
+
+The [scrypt](https://en.wikipedia.org/wiki/Scrypt) hash function uses large amounts of memory when hashing
+making it expensive to scale to the point of reasonable bruteforce
+attacks.
+
+A number of cryptocurrencies use __scrypt__ for proof of work.
+
+Created by Colin Percival of [Tarsnap](https://en.wikipedia.org/wiki/Tarsnap)
+
+## Argon2d [recommended]
+
+The [Argon2d](https://en.wikipedia.org/wiki/Argon2) function is
+designed to resist GPU cracking attacks.
+
+It is the winner of [Password Hashing Competition](https://www.password-hashing.net/).
+
+## Bcrypt
+
+[Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) is based on the
+[blowfish](https://en.wikipedia.org/wiki/Blowfish_(cipher)) cipher.
+
+## PBKDF2
+
+[PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) is an key derivation
+function with a sliding computational cost to reduce bruteforce
+search.
+
+
+## Conclusion
+
+A cool way to prevent password leaks is by __obfuscating__ them
+with a password hash functions which offer additional security
+against bruteforce from specialliazed hardware such as asics. If
+password hash functions are used and implemented correctly even the
+administrators of the server will not be able to read the users
+passwords especially if the server is open source and the users can
+audit the code for themselves.
+
+I recommend either of Scrypt or Argon2d for password hashing.
diff --git a/doc/style.css b/doc/style.css
@@ -0,0 +1,202 @@
+
+html {
+ line-height: 1.5;
+ font-family: Georgia, serif;
+ font-size: 20px;
+ color: #ffffff;
+ background-color: #222D31 ;
+}
+body {
+ margin: 0 auto;
+ max-width: 36em;
+ padding-left: 50px;
+ padding-right: 50px;
+ padding-top: 0px;
+ margin-top: 0px;
+ padding-bottom: 50px;
+ hyphens: auto;
+ word-wrap: break-word;
+ text-rendering: optimizeLegibility;
+ font-kerning: normal;
+}
+
+@media (max-width: 600px) {
+ body {
+ font-size: 0.9em;
+ padding: 1em;
+ }
+}
+@media print {
+ body {
+ background-color: transparent;
+ color: black;
+ font-size: 12pt;
+ }
+ p, h2, h3 {
+ orphans: 3;
+ widows: 3;
+ }
+ h2, h3, h4 {
+ page-break-after: avoid;
+ }
+ #TOC{
+ position: relative !important;
+ width: inherit;
+ height: inherit;
+ border: none;
+ }
+}
+p {
+ margin: 1em 0;
+}
+a {
+ color: cyan;
+}
+a:visited {
+ color: cyan;
+}
+img {
+ max-width: 100%;
+}
+h1, h2, h3, h4, h5, h6 {
+ margin-top: 1.4em;
+ color: cyan;
+}
+h5, h6 {
+ font-size: 1em;
+ font-style: italic;
+}
+h6 {
+ font-weight: normal;
+}
+ol, ul {
+ padding-left: 1.7em;
+ margin-top: 1em;
+}
+li > ol, li > ul {
+ margin-top: 0;
+}
+blockquote {
+ margin: 1em 0 1em 1.7em;
+ padding-left: 1em;
+ border-left: 2px solid #e6e6e6;
+ color: #606060;
+}
+code {
+ font-family: Menlo, Monaco, 'Lucida Console', Consolas, monospace;
+ font-size: 85%;
+ margin: 0;
+}
+pre {
+ margin: 1em 0;
+ overflow: auto;
+}
+pre code {
+ padding: 0;
+ overflow: visible;
+}
+.sourceCode {
+ background-color: transparent;
+ overflow: visible;
+}
+
+hr {
+ background-color: cyan;
+ border: none;
+ height: 2px;
+ margin: 4em 0;
+}
+table {
+ margin: 1em 0;
+ border-collapse: collapse;
+ width: 100%;
+ overflow-x: auto;
+ display: block;
+ font-variant-numeric: lining-nums tabular-nums;
+}
+table caption {
+ margin-bottom: 0.75em;
+}
+tbody {
+ margin-top: 0.5em;
+ border-top: 1px solid cyan;
+ border-bottom: 1px solid cyan;
+}
+th {
+ border-top: 1px solid cyan;
+ padding: 0.25em 0.5em 0.25em 0.5em;
+}
+td {
+ padding: 0.125em 0.5em 0.25em 0.5em;
+}
+header {
+ margin-bottom: 4em;
+ text-align: center;
+}
+
+#TOC{
+ position: fixed;
+ width: 20vw;
+ height: 100vh;
+ left: 0;
+ top: 0;
+ border-right: thin solid cyan;
+ padding-left: 1em;
+ overflow: auto;
+}
+
+#TOC ul {
+ padding-left: .5em;
+}
+
+#TOC li {
+ list-style: circle;
+ width: 100%
+}
+
+#TOC a:not(:hover) {
+ text-decoration: none;
+}
+
+pre{
+ border: thin solid cyan;
+ padding: 1em;
+ font-family: monospace !Important;
+ font-size: 18px;
+}
+
+blockquote{
+ border-left: 2px solid cyan;
+ color: #7E807E;
+}
+
+@media only screen and (max-width: 1300px) {
+ #TOC{
+ position: relative !important;
+ width: inherit;
+ height: inherit;
+ border: none;
+ }
+
+ pre{
+ font-size: 16px;
+ }
+}
+
+@media only screen and (max-width: 480px) {
+ pre{
+ font-size: 12px;
+ }
+}
+
+@media only screen and (max-width: 370px) {
+ pre{
+ font-size: 10px;
+ }
+}
+
+@media only screen and (max-width: 300px) {
+ pre{
+ font-size: 7px;
+ }
+}