Comments on: Don’t Hash Secrets http://benlog.com/articles/2008/06/19/dont-hash-secrets/ security, privacy, transparency. Thu, 04 Mar 2010 07:51:29 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: agilesWissen » Some interesting links… http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-625627 agilesWissen » Some interesting links… Thu, 04 Mar 2010 07:51:29 +0000 http://benlog.com/?p=168#comment-625627 [...] Don’t Hash Secrets [...] [...] Don’t Hash Secrets [...]

]]> By: Four short links: 5 February 2010 « Murder Manual http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-625582 Four short links: 5 February 2010 « Murder Manual Wed, 10 Feb 2010 07:07:15 +0000 http://benlog.com/?p=168#comment-625582 [...] Don’t Hash Secrets — One area of secure protocol development that seems to consistently yield poor design choices is the use of hash functions. What I’m going to say is not 100% correct, but it is on the conservative side of correct, so if you follow the rule, you (probably) can’t go wrong. You might be considered overly paranoid, but as they say, just because you’re paranoid doesn’t mean they’re not after you. So here it is: Don’t hash secrets. Never. No, sorry, I know you think your case is special but it’s not. No. Stop it. Just don’t do it. You’re making the cryptographers cry. [...] [...] Don’t Hash Secrets — One area of secure protocol development that seems to consistently yield poor design choices is the use of hash functions. What I’m going to say is not 100% correct, but it is on the conservative side of correct, so if you follow the rule, you (probably) can’t go wrong. You might be considered overly paranoid, but as they say, just because you’re paranoid doesn’t mean they’re not after you. So here it is: Don’t hash secrets. Never. No, sorry, I know you think your case is special but it’s not. No. Stop it. Just don’t do it. You’re making the cryptographers cry. [...]

]]> By: Knowtu » links for 2010-01-29 http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-625033 Knowtu » links for 2010-01-29 Sat, 30 Jan 2010 01:06:45 +0000 http://benlog.com/?p=168#comment-625033 [...] Benlog » Don’t Hash Secrets Use HMAC: Hash-function Message Authentication Code. (tags: security DevelopmentWisdom) [...] [...] Benlog » Don’t Hash Secrets Use HMAC: Hash-function Message Authentication Code. (tags: security DevelopmentWisdom) [...]

]]> By: Eric Blue’s Blog » Blog Archive » Weekly Lifestream for January 28th http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-624922 Eric Blue’s Blog » Blog Archive » Weekly Lifestream for January 28th Fri, 29 Jan 2010 01:07:39 +0000 http://benlog.com/?p=168#comment-624922 [...] Shared Benlog » Don’t Hash Secrets. [...] [...] Shared Benlog » Don’t Hash Secrets. [...]

]]> By: Don’t Hash Secrets | BlogHalt.com http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-624769 Don’t Hash Secrets | BlogHalt.com Tue, 26 Jan 2010 11:19:22 +0000 http://benlog.com/?p=168#comment-624769 [...] Don’t Hash Secrets. A well written explanation from 2008 of why you must use hmac instead of raw SHA-1 when hashing against a secret. [...] [...] Don’t Hash Secrets. A well written explanation from 2008 of why you must use hmac instead of raw SHA-1 when hashing against a secret. [...]

]]> By: Limitations of Hashing « Exhaust the Iterator http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-624735 Limitations of Hashing « Exhaust the Iterator Tue, 26 Jan 2010 01:04:53 +0000 http://benlog.com/?p=168#comment-624735 [...] Don’t Hash Secrets (via). Informative, accessible article that sketches the limitations of hashing, even with a [...] [...] Don’t Hash Secrets (via). Informative, accessible article that sketches the limitations of hashing, even with a [...]

]]> By: stev.ie/ » Blog Archive http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-624676 stev.ie/ » Blog Archive Mon, 25 Jan 2010 12:20:36 +0000 http://benlog.com/?p=168#comment-624676 [...] Via. [...] [...] Via. [...]

]]> By: links for 2010-01-24 « Breyten’s Dev Blog http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-624580 links for 2010-01-24 « Breyten’s Dev Blog Sun, 24 Jan 2010 11:04:49 +0000 http://benlog.com/?p=168#comment-624580 [...] Benlog ? Don?t Hash Secrets (tags: hashing security crypto hmac) [...] [...] Benlog ? Don?t Hash Secrets (tags: hashing security crypto hmac) [...]

]]> By: Joel http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-521056 Joel Tue, 31 Mar 2009 07:07:05 +0000 http://benlog.com/?p=168#comment-521056 So, in other words: hashing isn't the magical hammer -- HMAC is! Seriously, though, I was looking for a resource on the benefits of HMAC vs salted hashes, and this was perfect. Thanks! So, in other words: hashing isn’t the magical hammer — HMAC is!

Seriously, though, I was looking for a resource on the benefits of HMAC vs salted hashes, and this was perfect. Thanks!

]]> By: Anirvan http://benlog.com/articles/2008/06/19/dont-hash-secrets/comment-page-1/#comment-515242 Anirvan Thu, 19 Mar 2009 04:21:22 +0000 http://benlog.com/?p=168#comment-515242 Thanks for this post. It was incredibly useful. You got me to switch from appending a secret to using an HMAC digest in an application I'm working on. Thanks for this post. It was incredibly useful. You got me to switch from appending a secret to using an HMAC digest in an application I’m working on.

]]>