[Owasp-leaders] Password Storage Cryptography

Jim Manico jim.manico at owasp.org
Sun Feb 21 20:56:13 UTC 2016


Thanks for pointing this project out, Sherif. 
https://www.vaultproject.io/ looks heavy duty (you need to install a 
binary on your server, etc) and in-depth way to achieve the goal of 
encrypting configuration data.

I do not know of many software frameworks that provide this capability 
out of the box other than .NET where you can encrypt sections of your 
Web.config file using DPAPI. If you know of other solutions to this 
problem I'd love to hear about it.

Aloha,
Jim

On 2/21/16 2:13 PM, Sherif Mansour wrote:
> Thanks Jim,
>
> On the related topic of storing application credentials (i.e. how to 
> store the credentials/tokens an application uses to authenticate to 
> datastores and other apps etc..), has anyone investigated 
> https://www.vaultproject.io/ ? and if so what were your thoughts on it?
>
> Kind regard
> Sherif Mansour
>
> On Sun, Feb 21, 2016 at 7:18 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Hello folks,
>
>     I made a significant update to the password storage cheatsheet
>     (hat tip to John Steven) to mention the winner of the password
>     hashing competition, *Argon2*.
>
>     https://www.owasp.org/index.php?title=Password_Storage_Cheat_Sheet&diff=209303&oldid=203402
>
>     This is a fairly significant change beyond the standard
>     recommendations of using a salted PBKDF2, bcrypt or scrypt - or
>     HMAC's at scale.
>
>     If you're into this sort of thing, check out
>     https://password-hashing.net/argon2-specs.pdf. Various crypto
>     libraries are working on production class implementations now, and
>     should be ready sometime in 2016/17. Worth putting on your radar.
>
>     Aloha,
>     Jim Manico
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160221/c5f1dc3e/attachment-0001.html>


More information about the OWASP-Leaders mailing list