[db-wg] NWIs update
- Previous message (by thread): [db-wg] NWIs update
- Next message (by thread): [db-wg] NWIs update
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Nick Hilliard
nick at foobar.org
Wed Apr 10 12:32:44 CEST 2019
Gert Doering wrote on 10/04/2019 11:08: > The attack vector against unsalted hashes is "rainbow tables"... make the > API key something like 80 characters long, and no machine in the world > can do anything but brute force. which will work until the DB ends up on https://haveibeenpwned.com/ > But why store the API key anyway. Have it contain permissions plus a > crytographically sane signature, and all you need to know is "in the key". Sounds like it would cause problems unless you maintained a key revocation list. Or unless you maintained salt-per-client in cleartext format, which doesn't sound like an improvement. Nick
- Previous message (by thread): [db-wg] NWIs update
- Next message (by thread): [db-wg] NWIs update
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]