If you haven’t read Part 1 please do so.Although the criticism of Part 2 should be taken with a grain of XKCD Salt, and even the primary plaintiff admitted that it would take him 2 months to crack the final salted sha512. Usually your attacker shouldn’t have your shadow file, and having stored them as anything less is just plain not secure. I will acknowledge it has some merit.Doing a base64 transformation on hex only digits is a bad, idea, and does not have nearly enough possible combinations. Nothing is going to be more secure than random, but random isn’t really recoverable, if you lose it. That’s why I do some kind of transformation.I believe that somewhere someone suggested that it would be better to convert from the binary digest into base64 as it would be more random than from hex. I believe this is accurate, but the method suggested was in Perl, which is kind of messy, and more importantly hard to remember. So I asked, on unix.stackexchange.com, how I could do this on the command line. Here’s the answer I decided to accept:echo -n date
| openssl dgst -binary -sha512 | base64Remember you should slightly modify the result in a way that you can remember in your head to make it random, and probably use something in place of the “date” command, since it’s not reproduce-able.Again: this is not meant to be as secure as random passwords, just secure enough compared to non random alternatives.–
This work by Caleb Cushing is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Load comments