Hacker News new | ask | show | jobs
by adammacleod 4535 days ago
No, not really. I do like having the length concatenated inside as well, as this provides a unique password for different lengths (useful to quickly visually identify if a password looks 'right').

Is there any reason why HMAC would be better than my current implementation? I have had a read over the article and it seems that straight SHA512 should have similar cryptographic strength.

Thanks for your input!
1 comments
pwg 4535 days ago
Read the "Design Principles" section more carefully. Simple concatenation suffers from several different attack vectors.
link
adammacleod 4535 days ago
Thank you.

I am concerned about changing the algorithm at this point in case anyone has already used it. I don't think there are any serious concerns but will report back if I find any (after taking some more time). Of course if anyone knows this stuff very well I'd be very eager for some feedback!

link
pwg 4534 days ago
> Of course if anyone knows this stuff very well I'd be very eager for some feedback!

Exactly why you should be considering changing the algorithm.

http://happybearsoftware.com/you-are-dangerously-bad-at-cryp...

link