Explore >> Select a destination
|
You are here 
|
defuse.ca | ||
| | | | |
dusted.codes
|
|
| | | | | SHA-256 is not a secure password hashing algorithm | |
| | | | |
myers.io
|
|
| | | | | Every so often I see posts on Stack Exchange, or Hacker News where someone has figured out that their passwords are being sent to the server and the server can see them! The logic that we see is that if the password is hashed client side, then only the hash needs to be sent to the server, so the server never knows the password. Unfortunately, I sometimes even see this go one step further when people suggest that with this arrangement, HTTPS isnt required. Wrong. | |
| | | | |
blog.ropnop.com
|
|
| | | | | After compromising an OpenNMS server, I recovered salted password hashes. I couldn't find any info online, so I reversed them and wrote a tool to crack them | |
| | | | |
prezu.ca
|
|
| | | Part 3 is the last part in this short cycle. Here I'll explain all the details around Time-based One-Time Password algorithm. I'll finish up by also elaborating on things common to both, HMAC-Based One-Time Password algorithm: QR Codes used to easily transfer secrets from the server to the Authenticator app Base32 algorithm - used to store non-printable secret in a URI (effectively stored by the QR Codes mentioned above). TOTP One way to avoid the problems with lack of feedback between server and the app would be to shift from using a counter that is increasing with every authentication attempt to a counter based on, for example, a time stamp. This is what TOTP is actually doing. | ||
