[Owasp-leaders] Password Storage Cryptography

Jim Manico jim.manico at owasp.org
Mon Feb 22 00:01:53 UTC 2016


Very cool, John. Thanks for pointing out Keywhiz!

It's worth pointing out that both Keywhiz and Vault.io are in 
alpha/beta. These both seem like well written but emerging tools, but 
I'm glad someone is working on them.

* Vault.io for example is at version .5 and is undergoing a security 
audit right now which should be done in a few weeks.
* The authors of Keywhiz stated that their software should be considered 
alpha.

Worth keeping an eye on.

Aloha,
Jim

On 2/21/16 4:52 PM, John Melton wrote:
>
> Vault is pretty nice, but does require infrastructure. If you're OK 
> with that, then it's a good choice I think. Another option in that 
> space is keywhiz. Both projects have published solid threat models so 
> you can understand the goals and reasoning behind them.
> Thanks,
> John
>
>
> On Sun, Feb 21, 2016, 4:00 PM Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Thanks for pointing this project out, Sherif.
>     https://www.vaultproject.io/ looks heavy duty (you need to install
>     a binary on your server, etc) and in-depth way to achieve the goal
>     of encrypting configuration data.
>
>     I do not know of many software frameworks that provide this
>     capability out of the box other than .NET where you can encrypt
>     sections of your Web.config file using DPAPI. If you know of other
>     solutions to this problem I'd love to hear about it.
>
>     Aloha,
>     Jim
>
>
>     On 2/21/16 2:13 PM, Sherif Mansour wrote:
>>     Thanks Jim,
>>
>>     On the related topic of storing application credentials (i.e. how
>>     to store the credentials/tokens an application uses to
>>     authenticate to datastores and other apps etc..), has anyone
>>     investigated https://www.vaultproject.io/ ? and if so what were
>>     your thoughts on it?
>>
>>     Kind regard
>>     Sherif Mansour
>>
>>     On Sun, Feb 21, 2016 at 7:18 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         Hello folks,
>>
>>         I made a significant update to the password storage
>>         cheatsheet (hat tip to John Steven) to mention the winner of
>>         the password hashing competition, *Argon2*.
>>
>>         https://www.owasp.org/index.php?title=Password_Storage_Cheat_Sheet&diff=209303&oldid=203402
>>
>>         This is a fairly significant change beyond the standard
>>         recommendations of using a salted PBKDF2, bcrypt or scrypt -
>>         or HMAC's at scale.
>>
>>         If you're into this sort of thing, check out
>>         https://password-hashing.net/argon2-specs.pdf. Various crypto
>>         libraries are working on production class implementations
>>         now, and should be ready sometime in 2016/17. Worth putting
>>         on your radar.
>>
>>         Aloha,
>>         Jim Manico
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160221/8cd4610e/attachment.html>


More information about the OWASP-Leaders mailing list