[Owasp-leaders] Password Storage Cryptography

John Melton jtmelton at gmail.com
Sun Feb 21 22:52:51 UTC 2016


Vault is pretty nice, but does require infrastructure. If you're OK with
that, then it's a good choice I think. Another option in that space is
keywhiz. Both projects have published solid threat models so you can
understand the goals and reasoning behind them.
Thanks,
John

On Sun, Feb 21, 2016, 4:00 PM Jim Manico <jim.manico at owasp.org> wrote:

> Thanks for pointing this project out, Sherif. https://www.vaultproject.io/
> looks heavy duty (you need to install a binary on your server, etc) and
> in-depth way to achieve the goal of encrypting configuration data.
>
> I do not know of many software frameworks that provide this capability out
> of the box other than .NET where you can encrypt sections of your
> Web.config file using DPAPI. If you know of other solutions to this problem
> I'd love to hear about it.
>
> Aloha,
> Jim
>
>
> On 2/21/16 2:13 PM, Sherif Mansour wrote:
>
> Thanks Jim,
>
> On the related topic of storing application credentials (i.e. how to store
> the credentials/tokens an application uses to authenticate to datastores
> and other apps etc..), has anyone investigated
> https://www.vaultproject.io/ ? and if so what were your thoughts on it?
>
> Kind regard
>
> Sherif Mansour
>
>
> On Sun, Feb 21, 2016 at 7:18 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Hello folks,
>>
>> I made a significant update to the password storage cheatsheet (hat tip
>> to John Steven) to mention the winner of the password hashing competition,
>> *Argon2*.
>>
>>
>> https://www.owasp.org/index.php?title=Password_Storage_Cheat_Sheet&diff=209303&oldid=203402
>>
>> This is a fairly significant change beyond the standard recommendations
>> of using a salted PBKDF2, bcrypt or scrypt - or HMAC's at scale.
>>
>> If you're into this sort of thing, check out
>> https://password-hashing.net/argon2-specs.pdf. Various crypto libraries
>> are working on production class implementations now, and should be ready
>> sometime in 2016/17. Worth putting on your radar.
>>
>> Aloha,
>> Jim Manico
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160221/9d906c36/attachment.html>


More information about the OWASP-Leaders mailing list