Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://abyssdomain.expert/users/filippo/statuses/109559945280274566">Filippo Valsorda :go: (filippo@abyssdomain.expert)'s status on Saturday, 24-Dec-2022 15:03:35 JST</a><a href="https://abyssdomain.expert/@filippo" title="filippo@abyssdomain.expert"><img src="https://gnusocial.jp/avatar/60766-48-20221208223432.webp" width="48" height="48" alt="Filippo Valsorda :go:" style="position: absolute; left: 0; top: 0;">Filippo Valsorda :go:</a></section><article><p><a href="https://abyssdomain.expert/tags/LastPass" rel="tag">#LastPass</a> is being deservedly criticized for using PBKDF2-HMAC-SHA256 with a number of iterations that is 3x lower than the OWASP recommendation, but there's much worse here IMHO.</p><p>First, 1Password's design with a random secret key or iCloud Keychain's with HSM wrapping would have prevented cracking altogether.</p><p>Second, they did not upgrade legacy hashes (<a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#upgrading-legacy-hashes" rel="nofollow noreferrer">https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#upgrading-legacy-hashes</a>), so the iteration count on my old account was actually 5,000, 62 TIMES lower than the recommendation.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/912796#notice-2107875">In conversation</a><time datetime="2022-12-24T15:03:35+09:00" title="Saturday, 24-Dec-2022 15:03:35 JST">Saturday, 24-Dec-2022 15:03:35 JST</time> <span>from <span><a href="https://abyssdomain.expert/@filippo/109559945280274566" rel="external" title="Sent from abyssdomain.expert via ActivityPub">abyssdomain.expert</a></span></span><a href="https://abyssdomain.expert/@filippo/109559945280274566">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: cheatsheetseries.owasp.org</div><h5><a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#upgrading-legacy-hashes">Password Storage - OWASP Cheat Sheet Series</a></h5><div></div></header><div>Website with the collection of all the cheat sheets of the project.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Filippo Valsorda :go: (filippo@abyssdomain.expert)'s status on Saturday, 24-Dec-2022 15:03:35 JST Filippo Valsorda :go:
#LastPass is being deservedly criticized for using PBKDF2-HMAC-SHA256 with a number of iterations that is 3x lower than the OWASP recommendation, but there's much worse here IMHO.
First, 1Password's design with a random secret key or iCloud Keychain's with HSM wrapping would have prevented cracking altogether.
Second, they did not upgrade legacy hashes (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#upgrading-legacy-hashes), so the iteration count on my old account was actually 5,000, 62 TIMES lower than the recommendation.
In conversationSaturday, 24-Dec-2022 15:03:35 JST from abyssdomain.expertpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: cheatsheetseries.owasp.org
  Password Storage - OWASP Cheat Sheet Series
  Website with the collection of all the cheat sheets of the project.

Public

Embed Notice

HTML Code

Corresponding Notice