Search: [hashing] - Fabians Bookmarks

Data Pseudonymisation: Advanced Techniques and Use Cases — ENISA

This report, building on the basic pseudonymisation techniques, examines advanced solutions for more complex scenarios that can be based on asymmetric encryption, ring signatures and group pseudonyms, chaining mode, pseudonyms based on multiple identifiers, pseudonyms with proof of knowledge and secure multi-party computation. It then applies some of these techniques in the area of healthcare to discuss possible pseudonymisation options in different example cases. Lastly, it examines the application of basic pseudonymisation techniques in common cybersecurity use cases, such as the use of telemetry and reputation systems.

security cybersecurity infosec encryption pseudonymisation privacy anonymity data eu scrypt argon2 hashing

April 2, 2024 at 5:45:20 PM GMT+2*

https://www.enisa.europa.eu/publications/data-pseudonymisation-advanced-techniques-and-use-cases/

Password Storage - OWASP Cheat Sheet Series

This cheat sheet advises you on the proper methods for storing passwords for authentication. When passwords are stored, they must be protected from an attacker even if the application or database is compromised. Fortunately, a majority of modern languages and frameworks provide built-in functionality to help store passwords safely.

However, once an attacker has acquired stored password hashes, they are always able to brute force hashes offline. Defenders can slow down offline attacks by selecting hash algorithms that are as resource intensive as possible.

To sum up our recommendations:

Use Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
If Argon2id is not available, use scrypt with a minimum CPU/memory cost parameter of (2^17), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.
For legacy systems using bcrypt, use a work factor of 10 or more and with a password limit of 72 bytes.
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 600,000 or more and set with an internal hash function of HMAC-SHA-256.
Consider using a pepper to provide additional defense in depth (though alone, it provides no additional secure characteristics).

hashing passwords security scrypt argon2

November 18, 2023 at 10:13:22 PM GMT+1*

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#scrypt

Key derivation function - Wikipedia

As of May 2023, OWASP recommends the following KDFs for password hashing, listed in order of priority:

Argon2id
scrypt if Argon2id is unavailable
bcrypt for legacy systems
PBKDF2 if FIPS-140 compliance is required

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

security passwords hashing scrypt argon2 pbkdf2

November 18, 2023 at 10:12:31 PM GMT+1*

https://en.wikipedia.org/wiki/Key_derivation_function

Unlimited Novelty: Don't use bcrypt

@SlexAxton @rem definitely use pbkdf2. See for details and to s/bcrypt/pbkdf2. Sha-ing won’t do.

cryptography bcrypt passwords security hashing webdev hash pbkdf2

March 28, 2012 at 8:53:03 PM GMT+2

http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html

pyvideo.org - Advanced Security Topics

If your Python application has users, you should be worried about security. This talk will cover advanced material, highlighting common mistakes. Topics will include hashing and salts, timing attacks, serialization, and much more. Expect eye opening demos, and an urge to go fix your code right away.

security pypi programming python django setuptools packaging distribute pip hashing hmac sha256 video presentation pycon pycon2012

March 15, 2012 at 4:47:27 PM GMT+1

http://pyvideo.org/video/638/advanced-security-topics