[Owasp-leaders] Password Storage Cryptography

John Melton jtmelton at gmail.com
Sun Feb 21 22:52:51 UTC 2016

Vault is pretty nice, but does require infrastructure. If you're OK with
that, then it's a good choice I think. Another option in that space is
keywhiz. Both projects have published solid threat models so you can
understand the goals and reasoning behind them.

On Sun, Feb 21, 2016, 4:00 PM Jim Manico <jim.manico at owasp.org> wrote:

> Thanks for pointing this project out, Sherif. https://www.vaultproject.io/
> looks heavy duty (you need to install a binary on your server, etc) and
> in-depth way to achieve the goal of encrypting configuration data.
> I do not know of many software frameworks that provide this capability out
> of the box other than .NET where you can encrypt sections of your
> Web.config file using DPAPI. If you know of other solutions to this problem
> I'd love to hear about it.
> Aloha,
> Jim
> On 2/21/16 2:13 PM, Sherif Mansour wrote:
> Thanks Jim,
> On the related topic of storing application credentials (i.e. how to store
> the credentials/tokens an application uses to authenticate to datastores
> and other apps etc..), has anyone investigated
> https://www.vaultproject.io/ ? and if so what were your thoughts on it?
> Kind regard
> Sherif Mansour
> On Sun, Feb 21, 2016 at 7:18 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Hello folks,
>> I made a significant update to the password storage cheatsheet (hat tip
>> to John Steven) to mention the winner of the password hashing competition,
>> *Argon2*.
>> https://www.owasp.org/index.php?title=Password_Storage_Cheat_Sheet&diff=209303&oldid=203402
>> This is a fairly significant change beyond the standard recommendations
>> of using a salted PBKDF2, bcrypt or scrypt - or HMAC's at scale.
>> If you're into this sort of thing, check out
>> https://password-hashing.net/argon2-specs.pdf. Various crypto libraries
>> are working on production class implementations now, and should be ready
>> sometime in 2016/17. Worth putting on your radar.
>> Aloha,
>> Jim Manico
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160221/9d906c36/attachment.html>

More information about the OWASP-Leaders mailing list