Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That's silly. Even in the least charitable interpretation of what's happened, 1Password's security margin went from N (where N was a hypothetical security level believed to have been achieved by 1Pw, not some objective standard) to N/2. N/2 in this case is still light years past salted hashes.


Since N is generally measured in bits, I'd say it's reduced to N-1.


Argh I wish I had thought to say that.


True. And good thing knowing they are gonna make it better. I happened to find a license I got sometime with a bundle, so got it in use now.


I'm actually seeing N/4 in that hashcat.net/forum thread. See hashcat.net/forum/thread-2238-post-13424.html#pid13424 , or alternately just the last line of the original TFA, which says "reduce [work required] from 8000 to 2002".

I'm not sure how this is "least charitable", it seems to be pretty much the only interpretation. Either way, I'm not seeing the significance at all. I look forward to a reply from atom to penultimate post in that thread (#24) in which guinndupont explicitly asks for the real-world significance.

And I agree with Thomas and miles, that the vendor response is wonderfully direct, informative, reasonable, helpful, non-weaselly, etc. Props to him.


I used the word "charitable" because the "N" in this measurement is a hypothetical measurement of how much more secure 1Password could have been. But if that's a valid analysis, it's just as valid to say they should have been using scrypt. Which, sure, but who cares?


You're not still recommending PBKDF2 with FEAL4 GMAC? ;)


Too fast on hardware. I now recommend PBKDF2-HMAC-RSA2048HASH.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: