Author Topic: CBcrypt : Better than using bcrypt, scrypt, pbkdf2, etc to protect passwords  (Read 919 times)

0 Members and 1 Guest are viewing this topic.

Tuck Fheman

  • Guest

From the page ...

Better than using bcrypt, scrypt, pbkdf2, etc to protect passwords on servers:
Never expose passwords or encryption keys to servers. CBCrypt is developed and maintained by Concept Blossom and is used in Synctuary encrypted file sync & sharing.

Even the most non-techie users of the world have been trained not to send passwords or other sensitive info over the internet without HTTPS, but they don't personally know the employees of Dropbox/Google/etc any better than they know the employees of Verizon/Comcast/etc. By exposing passwords and encryption keys to the other side, you forfeit your right to privacy (Third Party Doctrine) and open yourself up to risk. CBCrypt is as important as HTTPS. We need to change the way the Internet works.

Offline rudenaggar

  • Newbie
  • *
  • Posts: 1
    • View Profile
Using RFC2898DeriveBytes with a non trivial iteration count should be better than using a straight hash function for authentication purposes. The Rfc2898DeriveBytes class can be used to produce a derived key from a base key and other parameters. Rfc2898DeriveBytes is an implementation of PBKDF2. PBKDF2 uses a pseudorandom function and a configurable number of iterations to derive a cryptographic key from a password. Because this process is difficult to reverse but can also be configured to be slow to compute, key derivation functions are ideally suited for password hashing use cases. More about...Password Encryption