> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Josh Smift > > JBS> Is there a list somewhere of sites and/or browsers who support > JBS> CBcrypt today? > > ENH> No. I see it's been cloned and downloaded via NuGet hundreds of > ENH> times, but there's no way to know who downloaded, or for what > purpose. > > Not automatically, sure; but as evangelists of the technology, wouldn't it > be useful to be able to say things like "Firefox now includes support for > CBcrypt" (or "Google ..." or "Facebook ..." or whoever)?
The goal is to get CBCrypt, or at least something as good as it, into every client, every server, and every language. We have mocked up integration into browsers, but not yet implemented. Everything is in progress - meaning - not much is yet done. Synctuary is using it in production, and it's likely the only thing currently using it in production. > ENH> I know Synctuary, LastPass, 1Password, and ProtonMail all do > ENH> authentication and encryption without password exposure, using > ENH> different techniques in the background. > > Hmm, I don't really see how LastPass and 1Password do this. Aren't they > just encrypting a local collection of reusable passwords? > > (In the "reuse the same password every time I log in" sense, which is > pretty much always what I mean by it.) You'll have to look at their docs to be sure, but my understanding is that they expose a salt to the unauthenticated client, and the client runs pbkdf2 to derive a key (just some hash bytes, not an asymmetric key). They send the hash of the key for authentication, which grants access to download encrypted content, and then the content is actually decrypted client-side using the key that was never exposed. As far as crypto is concerned, there are lots of ways to make the above process better, which is what we did (or are doing) in CBCrypt. But the above process, I am comfortable using, as long as the password was strong randomly generated. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
