DeadDrop and Strongbox
DeadDrop and Strongbox
Posted May 31, 2013 8:01 UTC (Fri) by sourcejedi (guest, #45153)Parent article: DeadDrop and Strongbox
"The SHA256 hash of the code name is stored on the server"
Why is this design considered appropriate for a secure system?
Storing un-iterated, unsalted password hashes makes it easier to compromise large numbers of passwords once you've gained access. Every time someone gains access to a system with this design, we read articles criticising it...
Posted Jun 17, 2013 7:03 UTC (Mon)
by mp (subscriber, #5615)
[Link]
DeadDrop and Strongbox
It appears that what is actually stored is not simply SHA256 of the code name, but HMAC(local_secret, code_name).