You can not lose your private key, if you drop it first

Y	Hacker News new \| ask \| show \| jobs

	You can not lose your private key, if you drop it first (blog.imcotton.xyz)
	2 points by imcotton 673 days ago

2 comments

BobbyTables2 673 days ago

What rubbish is this?

Does the author not understand entropy or probability?

Deriving an RSA key from the product of two memorizable numbers makes it brute-force-able, and sends us back to 1990s export controlled encryption strength.

Tattoo-ing a key on one’s arm (however ridiculous) would be better than the methods here.

link

imcotton 673 days ago

Now, brute-force my private key and post new blog entry with your wallet address, I will send you rewards.

link

Too 673 days ago

Yeah. This removes one factor in 2FA by deriving something you have by something you know.

Almost equivalent to going back to username+password and use your favorite git hash as your password.

If you are truly paranoid about loosing your ssh key, get a hardware yubikey instead.

link

imcotton 673 days ago

In case one not digging into the source code, the key stretching here is PBKDF2-HMAC-SHA512 with 400,000 iterations (OWASP recommended 210,000).

The reason for not using Argon2 or scrypt is because PBKDF2 is native provide by Webcrypto yet FIPS-140 compliance.

link