[Owasp-leaders] Password Storage Cryptography
jim.manico at owasp.org
Mon Feb 22 00:01:53 UTC 2016
Very cool, John. Thanks for pointing out Keywhiz!
It's worth pointing out that both Keywhiz and Vault.io are in
alpha/beta. These both seem like well written but emerging tools, but
I'm glad someone is working on them.
* Vault.io for example is at version .5 and is undergoing a security
audit right now which should be done in a few weeks.
* The authors of Keywhiz stated that their software should be considered
Worth keeping an eye on.
On 2/21/16 4:52 PM, John Melton wrote:
> Vault is pretty nice, but does require infrastructure. If you're OK
> with that, then it's a good choice I think. Another option in that
> space is keywhiz. Both projects have published solid threat models so
> you can understand the goals and reasoning behind them.
> On Sun, Feb 21, 2016, 4:00 PM Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
> Thanks for pointing this project out, Sherif.
> https://www.vaultproject.io/ looks heavy duty (you need to install
> a binary on your server, etc) and in-depth way to achieve the goal
> of encrypting configuration data.
> I do not know of many software frameworks that provide this
> capability out of the box other than .NET where you can encrypt
> sections of your Web.config file using DPAPI. If you know of other
> solutions to this problem I'd love to hear about it.
> On 2/21/16 2:13 PM, Sherif Mansour wrote:
>> Thanks Jim,
>> On the related topic of storing application credentials (i.e. how
>> to store the credentials/tokens an application uses to
>> authenticate to datastores and other apps etc..), has anyone
>> investigated https://www.vaultproject.io/ ? and if so what were
>> your thoughts on it?
>> Kind regard
>> Sherif Mansour
>> On Sun, Feb 21, 2016 at 7:18 PM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>> Hello folks,
>> I made a significant update to the password storage
>> cheatsheet (hat tip to John Steven) to mention the winner of
>> the password hashing competition, *Argon2*.
>> This is a fairly significant change beyond the standard
>> recommendations of using a salted PBKDF2, bcrypt or scrypt -
>> or HMAC's at scale.
>> If you're into this sort of thing, check out
>> https://password-hashing.net/argon2-specs.pdf. Various crypto
>> libraries are working on production class implementations
>> now, and should be ready sometime in 2016/17. Worth putting
>> on your radar.
>> Jim Manico
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders