[Coquelicot] Patchset: add multiuser/pass auth module, add missing i18n tags, add Greek .po
Rowan Thorpe
rowan at rowanthorpe.com
Tue Dec 20 12:38:42 CET 2016
On 19 December 2016 at 00:51, Rowan Thorpe <rowan at rowanthorpe.com> wrote:
> Hi,
> ..[snip]..
...just adding a couple of explanatory details I missed in my last email.
I'm sure you already know this so I just add it for reference, to preempt
clarifying my processes by dialogue later.
> ..[snip]..
> either way. Regarding algo, the go-to scheme I am using for various
> things at the moment is bcrypting server-side (with crypto-grade
> random salt and tuning the rounds for the server) for the obvious
> reasons, and for web-interface code doing bcrypt of the password
> client-side in javascript where possible too - so the server will only
> be hashing the received hash-with-salt, and the client can know they
> are not even trusting the server with their password. Considering the
> philosophical basis of Coquelicot that seems a particularly relevant
> approach...
...of course client-side hashing needs reproducability so it needs a
static or repeatable salt within the javascript...
> ..[snip]..
> If you think bcrypt/random-salt/etc is overkill (server- and/or
> client-side), then in addition to agreeing that at least SHA256 is a
> good idea, using HMAC-SHA256 with static salt specified in the
> config-file would be useful to mitigate potential rainbow-attacks.
...or a randomly generated salt, but prepending/appending it to the
stored hash for reuse, in the style of bcrypt...
--
Rowan Thorpe
PGP fingerprint:
BB0A 0787 C0EE BDD8 7F97 3D30 49F2 13A5 265D CCBD
----
"A riot is the language of the unheard." - Dr. Martin Luther King
More information about the Coquelicot
mailing list