yescrypt
password4j
yescrypt | password4j | |
---|---|---|
3 | 5 | |
116 | 333 | |
5.2% | 2.1% | |
3.4 | 8.0 | |
8 months ago | 20 days ago | |
C | Java | |
- | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
yescrypt
-
Inception: Leaking the root hash from /etc./shadow on AMD Zen 4 [video]
when you look properly at the end of the video the root hash starts with $y$ implying its yescrypt
more info here https://manpages.debian.org/unstable/libcrypt-dev/crypt.5.en...
https://www.openwall.com/yescrypt/
once you have the hash you have to use some rainbow tables if they exist for that hash function or bruteforce it
the authors of yescrypt claim: "Technically, yescrypt is the most scalable password hashing scheme so far, providing near-optimal security from offline password cracking across the whole range from kilobytes to terabytes and beyond. "
in any way, this is a local attack, someone / some software on your local machine would need to execute it so i am not overly stressed, password hashes leak all the time from all different sources
yet, it does worry me because my AMD stock is dropping on value because of this today :D
-
ELI5: why is a password that uses numbers and letters stronger than one with only letters? the attackers don't know that you didn't use numbers, so they must include numbers in their brute force either way.
I believe SHA512 or yescrypt are the favored hashing algorithms.
-
PoS
Ya, yescrypt and also yespower which is a derivative for PoW, does it so we can just use that code or fork it. Also we would need a new idea to keep it CPU viable forever, and I discovered a way to do that, simply increase the required memory size (called memory hardness) with moore's law.
password4j
-
Safest way to salt and hash a password?
Argon2 - https://password4j.com/
-
bcrypt VS password4j - a user suggested alternative
2 projects | 20 Jun 2022
This library is much more maintained, can use more algorithms (not only bcrypt) and adopts fulent APIs.
- Password4j: a user-friendly library that supports modern cryptographic hash functions for your passwords!
- Password4j: a user-friendly library that supports modern cryptographic hash functions for your passwords! (/r/java)
What are some alternatives?
john - John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs
Tink - Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
hmac-bcrypt - The hmac-bcrypt password hashing function
Kalium - Java binding to the Networking and Cryptography (NaCl) library with the awesomeness of libsodium
yespower - Proof-of-work scheme building upon yescrypt and scrypt
Jwks RSA
noble-hashes - Audited & minimal JS implementation of hash functions, MACs and KDFs.
SSLContext-Kickstart - 🔐 A lightweight high level library for configuring a http client or server based on SSLContext or other properties such as TrustManager, KeyManager or Trusted Certificates to communicate over SSL TLS for one way authentication or two way authentication provided by the SSLFactory. Support for Java, Scala and Kotlin based clients with examples. Available client examples are: Apache HttpClient, OkHttp, Spring RestTemplate, Spring WebFlux WebClient Jetty and Netty, the old and the new JDK HttpClient, the old and the new Jersey Client, Google HttpClient, Unirest, Retrofit, Feign, Methanol, Vertx, Scala client Finagle, Featherbed, Dispatch Reboot, AsyncHttpClient, Sttp, Akka, Requests Scala, Http4s Blaze, Kotlin client Fuel, http4k Kohttp and Ktor. Also gRPC, WebSocket and ElasticSearch examples are included
c-hash - LiamLoads is a fast and secure 256-bit hashing function in pure C.
otp-java - A small and easy-to-use one-time password generator library for Java implementing RFC 4226 (HOTP) and RFC 6238 (TOTP).
passay - Password policy enforcement for Java.
SecurityBuilder - Fluent builders with typesafe API for the JCA