If you login to servers that utilize bcrypt, scrypt, pbkdf2, etc, to salt & stretch your password for storage in a backend database, then you are vulnerable to phishing attacks, and cross-site attacks if you repeat passwords at different sites, and a few other vulnerabilities.
I think the internet can do better. So I created CBcrypt https://github.com/rahvee/CBcrypt The goal is to change the way we do authentication on the internet. Never give your password to anyone, not even trusted sites, not even when you're logging into them. At present, it's too immature to be considered stable and safe for production. It needs community review. If you know security people and/or cryptography people, please ask them to take a look. I believe it's all solid and sound, but hey. I just wrote it today. Also, it's presently C# only, but the core is a wrapper around BouncyCastle and AesManaged and SCrypt. So it should be easily portable to java and other languages that support those standard libraries.
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
