[BBLISA] Reusing Passwords on Different Sites Should be OK
Edward Ned Harvey (bblisa4)
bblisa4 at nedharvey.com
Fri Sep 18 12:00:17 EDT 2015
> From: John Stoffel [mailto:john at stoffel.org]
>
> Edward> Let the salt be generated from: (1) the username, (2) a host
> Edward> identifier CBCryptHostID, and (3) certified random number
> Edward> published by certificate authorities.
>
> But an attacker has all three values of the salt, right? How do you
> mix the salt into the bcrypt() hash of the password? Esp since the
> user only gives you back the encrypted value?
The diagram is in the tech video. I could answer the question here anyway, but I'm feeling like, going into that level of detail right now on email is distracting to the actual core message, which is:
Any information you care to protect with HTTPS against random people maintaining the routers of the Internet, you probably also care to protect against random developers and sysadmins maintaining the networks and servers at the remote end of the HTTPS connection.
More information about the bblisa
mailing list