LoganDark's Content

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

LoganDark's Content

There have been 172 items by LoganDark (Search limited from 10-February 22)

By content type

See this member's

Sort by

Order

#251227 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 01 May 2016 - 01:45 AM in Programs

Anavrins, on 30 April 2016 - 06:04 AM, said:

If you want to try out pbkdf2, I added it to my sha256 file http://pastebin.com/6UV4qfNF.
Functionality is pbkdf2(password, salt, iter, dklen)
Password and salt are self explanatory, iter is the number of iteration, more iteration makes it more slow, you can fine tune it to be not too slow but not so fast.
You don't need to touch dklen, this is the desired output length in bytes, it's defaulted to 32 and shouldn't be more than that for password storage, it's pretty much only useful for when you need more than 32 bytes of key material for ciphers and other.

This is a proper algorithm to make bruteforce slower, it's used in things like iPhone's pins, LastPass master keys and more.
It also passes the test vectors at https://stackoverflo...a2-test-vectors

Can you give a version with just pbkdf2 and make it as compact as possible?

#248301 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 17 March 2016 - 12:58 AM in Programs

LDDestroier, on 16 March 2016 - 07:56 PM, said:

Ohh, it uses SHA256! Good LoganDark! I should go change my encrypted lock to use that instead.
Although, IMO it uses too many sleep() calls, and it DOES look a bit too basic for my taste. But it gets the job done, and is indeed much harder to brute-force than your previous one.

Although, brute-forcing would not be hard outside of ComputerCraft, on a real machine, possibly running brute-force as it's OS (lol), with real-world hashing with real good speed.

What are you talking about, too many sleep() calls?

#253283 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 07 June 2016 - 07:54 PM in Programs

Anavrins, on 07 June 2016 - 07:50 PM, said:

Dragon53535, on 07 June 2016 - 07:37 PM, said:

What? Now I'm curious, are you salting the hashed password? Or the password and then hashing it?

He's using an algorithm called pbkdf2 that I implemented.
Usage is simple, you feed it the raw password, and an unpredictable salt, you let the rest to the algorithm.
Resalting the hash is not insecure, it's just a unnecessary step.

LoganDark, on 07 June 2016 - 07:46 PM, said:

if you have password HI with salt 12345678 then the rainbow table might have a password called HI12345678 which ends up being the same hash, it wouldn't take much expertise to subtract 12345678 from HI12345678 to get HI.

If you concatenate the salt with the hash, you're doing it wrong, PBKDF2 doesn't concatenate the salt with the password, it is integrated with the hash via HMAC.

Oh.

#REKT ANY OTHER PASSWORD SYSTEM, MINE IS OFFICIALLY THE (first) MOST SECURE SYSTEM ON THE FORUMS.

Edit: sorry double post

Luca_S, on 07 June 2016 - 07:52 PM, said:

LoganDark, on 07 June 2016 - 07:46 PM, said:

Errrm that is salting the password and then hashing it...

I didn't understand pdbfkdksshspdhj2 until anavrins told me... My system used to concatenate the salt to the password and then hash with SHA256, now it uses PBDKSDGH2.

#248316 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 17 March 2016 - 07:32 AM in Programs

LDDestroier, on 17 March 2016 - 01:56 AM, said:

LoganDark, on 17 March 2016 - 12:58 AM, said:

What are you talking about, too many sleep() calls?

Lines 233, 248, 252. It's kinda annoying waiting two seconds to get to the shell.

If there were no sleep calls there, the user wouldn't be able to read the text.

Edit: The user might want to know what's going on if they're suddenly asked for the password again.

#253269 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 07 June 2016 - 06:59 PM in Programs

Luca_S, on 07 June 2016 - 06:57 PM, said:

LoganDark, on 07 June 2016 - 06:40 PM, said:

Lyqyd, on 07 June 2016 - 01:32 PM, said:

Moved to Programs.

this is definitely a utility, but okay...

We discussed that earlier and obviously Lyqyd(or some other mod) didn't like that discussion to be here(Else he wouldn't have cut it off).
But now to the salt:
If the user get's access to the files of the computer(Disk, or maybe an evil server owner) and your password is not salted he can use a rainbow table, that he calculates once and then uses EVERY time he finds a badly programmed password lock. If you salt your password the attacker needs to recalculate the rainbow table for every salts, therefore making cracking slow. So keep the functionality.

But you don't need a rainbow table for the salt, you can just use the one stored in the file. That's what I'm talking about, just use the same rainbow table with whatever salt is in the file.

#248373 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 17 March 2016 - 06:57 PM in Programs

Creator, on 17 March 2016 - 11:22 AM, said:

Better tell the user to press a key.

Like "press any key to continue"?

#250986 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 25 April 2016 - 10:29 PM in Programs

Luca_S, on 25 April 2016 - 08:16 PM, said:

LoganDark, on 25 April 2016 - 07:46 PM, said:

I am working on version 4 of my password lock system. Have suggestions? Now is the time to pitch in.

LDDestroier, on 25 April 2016 - 07:32 PM, said:

If you'd sacrifice speed and convenience for an insignificant security boost, at least have a config option to make it hash once.

Edit: I tested it:

Hash 1 time: 0.05 seconds
Hash 50 times: 2.5 seconds

We are talking about 2.45 seconds longer for a really insignificant change of security.

I've already considered that. The answer: completely ditching 50 hashes for 1.

#248395 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 17 March 2016 - 10:12 PM in Programs

Minecrosoft, on 17 March 2016 - 07:00 PM, said:

LoganDark, on 17 March 2016 - 06:57 PM, said:

Creator, on 17 March 2016 - 11:22 AM, said:

Better tell the user to press a key.

Like "press any key to continue"?

Yeah, it's quite easy.

<code here>
print("Press any key to continue")
sleep(0.2)--make sure any key press from the state before is up
os.pullEventRaw( "key_up" )
<mode code here>

Uhh, I'm not dumb.
Thanks for your help, but I don't need help unless I ask for it.

ry00000, on 17 March 2016 - 07:00 PM, said:

LoganDark, on 17 March 2016 - 12:58 AM, said:

LDDestroier, on 16 March 2016 - 07:56 PM, said:

Yanno, I have a system that can crack a non-salted SHA in about 5 seconds.

What makes you think I really care?

#251231 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 01 May 2016 - 02:28 AM in Programs

Fatal JavaScript error using Mimic.

pbkdf2(data, salt, 1, 64) --# Using 64 because I want to.

#249508 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 05 April 2016 - 07:43 PM in Programs

Anavrins, on 05 April 2016 - 06:07 PM, said:

LoganDark, on 05 April 2016 - 05:30 PM, said:

Which one would you choose: Looks or security? It's hard to have both.

I don't see why looks would impair security, it's usually the convenience that's a problem when designing security applications.
Example, most CC locks are good, but you can't make a password reminder thing without giving away some security, Krist's addresses are robust, but you'll loose everything if you forget your pwd, no password recovery either.

LoganDark, on 05 April 2016 - 05:30 PM, said:

Which one would you choose: Looks or security? It's h-a-r-d (not impossible) to have both.

#253277 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 07 June 2016 - 07:38 PM in Programs

Dragon53535, on 07 June 2016 - 07:37 PM, said:

What? Now I'm curious, are you salting the hashed password? Or the password and then hashing it?

Edit: Nvm, you didn't realize it was a pregenerated table of hashes.

I'm salting the password then hashing it. Salting the hash is extremely insecure and horrible...

#249518 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 05 April 2016 - 09:59 PM in Programs

Anavrins, on 05 April 2016 - 09:08 PM, said:

LoganDark, on 05 April 2016 - 05:30 PM, said:

Which one would you choose: Looks or security? It's h-a-r-d (not impossible) to have both.

You don't get what I'm saying, you could make your lock very visually appealing and it would not improve nor degrade its security back-end.

What I meant is that there's a trade-off for user conveniences in exchange of security, such as password recovery, security questions.
The visuals of a program has nothing to do with the security of it.

tl;dr, It's e-a-s-y to have both looks and security, not so much if you want a password recovery mechanism.

I get that, but the problem is if you're not making it yourself you can't find a good lock. Basically, if you search for one that just looks good, you'll find one that does NOT block termination and stores the password in plaintext. If you search for one with security, you will find mine (

). I'm trying to focus on security while not distracting the user with all this prettyness.

#248234 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 16 March 2016 - 06:03 PM in Programs

Comments below were posted after version 2 of my password lock had been released.

To view comments for the most recent version of my system, click here.

#249807 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 10 April 2016 - 02:37 AM in Programs

LDDestroier, on 06 April 2016 - 01:27 AM, said:

...My fine door lock...
...and, if you put in door sides to an array, it turns into a door lock...

So your door lock turns into a door lock? How interesting.

You failed.

#250995 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 25 April 2016 - 11:13 PM in Programs

Anavrins, on 25 April 2016 - 11:11 PM, said:

-snip-

I would also recommend using my implementation of SHA2, -snip-

Can you create a version which has the bit32 functions included? Mimic doesn't have bit32, and bit doesn't have blshift (or brshift; can't remember).

#249817 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 10 April 2016 - 04:46 AM in Programs

LDDestroier, on 10 April 2016 - 04:22 AM, said:

Nooooo! [snip]

Isn't that supposed to have 4 o's only?

#251229 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 01 May 2016 - 02:00 AM in Programs

Anavrins, on 01 May 2016 - 01:59 AM, said:

It's pretty much that, it needs SHA2 and HMAC to work, it's as compact as it can be.

Okay, thanks.

#249866 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 10 April 2016 - 09:44 PM in Programs

LDDestroier, on 10 April 2016 - 04:21 PM, said:

LoganDark, on 10 April 2016 - 04:46 AM, said:

LDDestroier, on 10 April 2016 - 04:22 AM, said:

Nooooo! [snip]

Isn't that supposed to have 4 o's only?

NOOOOOOOOOO!!!

It's supposed to have 15 O's, not 10.

#253263 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 07 June 2016 - 06:40 PM in Programs

Lyqyd, on 07 June 2016 - 01:32 PM, said:

Moved to Programs.

this is definitely a utility, but okay...

#250960 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 25 April 2016 - 07:29 PM in Programs

Anavrins, on 25 April 2016 - 07:05 PM, said:

LoganDark, on 25 April 2016 - 06:57 PM, said:

I wanted it slow, but also secure. Hashing with 50 different salts is very secure, possibly even unbreakable without the help of the salts which are stored conveniently in the file for all to use lol.

Well, it's slow, which is a good thing, but not more secure, this construction is as strong as the inner most hash iteration in the loop.
Granted, it's probably never going to be cracked, but stating it's more secure is false, and because of that, having 50 salts is redundant and a of waste space.

Sure, it's not that more secure, but it's more secure nonetheless. Argument or not, it is, but it's not an improvement as much as from plaintext to 1 hash.

#253272 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 07 June 2016 - 07:03 PM in Programs

Anavrins, on 07 June 2016 - 07:00 PM, said:

LoganDark, on 07 June 2016 - 06:35 PM, said:

what big ol' paragraph?

A little bit of searching doesn't hurt... http://www.computerc...post__p__251479

oh, wait, you were talking about the table of completed hashes?

yes, that would be hard to do

then I'm keeping the salt

#250965 [V4.1 COMING!] LoganDark's Password Lock

Posted by LoganDark on 25 April 2016 - 07:35 PM in Programs

Jiloacom, on 25 April 2016 - 07:33 PM, said:

Anavrins, on 25 April 2016 - 07:05 PM, said:

Well, it's slow, which is a good thing, but not more secure, this construction is as strong as the inner most hash iteration in the loop.
Granted, it's probably never going to be cracked, but stating it's more secure is false, and because of that, having 50 salts is redundant and a of waste space.

Wait.. Since when has slow ever been a good thing? Just because one hash or encryption algorithm is slower than another, doesn't mean it's more secure. And in some scenarios, such as a computer lock (where I don't want to wait 10 seconds for my computer to unlock every time I reboot it), I think I'd prefer a faster, less secure algorithm than a slower, slightly more secure one.

Slower deters brute-force. But it's not that much more secure.

LoganDark, on 07 June 2016 - 07:54 PM, said:

#REKT ANY OTHER PASSWORD SYSTEM, MINE IS OFFICIALLY THE (first) MOST SECURE SYSTEM ON THE FORUMS.

You're welcome.

Thanks lol, without your expertise in cryptography this wouldn't have been possible