Since Wordpress v6.8, the default hash func produces a custom bcrypt hash: $wp$2y$10$...
More info on this custom algo, how it uses hmac-sha384, and how to crack them with hashcat.
https://forum.hashpwn.net/post/4205
#wordpress #bcrypt #wpbcrypt #hashcracking #hashpwn #hashgen #hashcat
Hoy aprendí sobre el algoritmo de hash #bcrypt, basado en el cifrador de bloques #Blowfish, revisando un artículo de @andrea_navarro sobre extensiones de #Flask... particularmente sobre las extensiones de seguridad.
Y acabo de descubrir que es uno de los algoritmos soportados para la creación de passwords en GNU/Linux :D
Habrá que hacer algunos experimentos.
#gnu #linux #cryptography #criptografía #ciberseguridad #infosec #encrypt #hash #python #flask
Post-Quantum Cryptography Comes to Windows Insiders and Linux.
#win32 #windows #ncrypt #bcrypt #cryptography #encryption #linux
@jadi This "#OpenBSD is secure!" claim always annoyed me a lot, mainly because it doesn't tell anything: #Security in IT can only ever be defined in a context of #threat models. Without that, it's meaningless. Somewhat recently, I discovered this:
I should warn it uses some sarcasm and other confrontative language in some parts, unfortunately. But it seems to be a pretty professional analysis and assessment of (mostly) the "mitigations" OpenBSD provides in an attempt to counter "typical" attacks by at least making them harder.
I should also add that I consider this a very interesting and helpful read, and still consider OpenBSD a great project that came up with lots of great stuff (I recently used their #bcrypt code after doing some research on password hashing, for example). And I don't agree with every single criticism on that page either. I just think it's important to build assessments whether something "is secure" on a serious analytical foundation.
This is... interesting. Apparently bcrypt truncates user provided passwords at 72 byte marker. I guess one way can be to "prehash" the password with a HMAC as suggested here:
https://soatok.blog/2024/11/27/beyond-bcrypt/
The other (simpler) approach would be to, like Go's x/crypto/bcrypt, just reject all user provided passwords > 72 bytes. It is not *great*, but it works and fails "safe". Now one wonders *why* this is not the default behavior of PHP's password_hash function...
Cyclone
Diego Córdoba 🇦🇷
michabbb
Uckermark MacGyver 
Alvin Ashcraft
Alvin Ashcraft 🐿️
Felix Palmen 
François
Artemis