JeanLucPicard / nxt-public / issues / #30 - Improve security of weak passphrases by implementing PBKDF2 — Bitbucket

Issue #30 new

NxtChg created an issue 2014-01-29

Users often pick low-entropy passphrases, because they are used to regular passwords.

And then their account gets hacked with something that looks like offline bruteforcing.

So instead of doing

MessageDigest.getInstance("SHA-256").digest(secretPhrase.getBytes("UTF-8"))

we should do something like PBKDF2 to improve security.

Comments (2)

Jean-Luc Picard repo owner
Whatever gets done in the javascript client has to be supported in other clients too, so that when the js client is dropped users have a way to migrate. So only if PBKDF2 becomes standard in at least a few alternative clients, and if we still maintain the js client at that time, then it would make sense to also add PBKDF2 to the js client.
- 2014-02-01T12:20:55+00:00
NxtChg reporter
No argument there.

I will continue nagging client devs to agree on some sort of standard for this.
- 2014-02-01T12:28:22+00:00
Log in to comment

Assignee: Jean-Luc Picard

Type: proposal

Priority: minor

Status: new

Component: JavaScript Client

Version: –

Votes: 1

Watchers: 2

Jira: the preferred issue tracker for Bitbucket. Join the team!