This repository has been archived by the owner on Apr 16, 2019. It is now read-only.
Q: Why 'use' passwords? #54
Assignees
Labels
Comments
|
If by allowing passwords you mean no requiring buffer keys that are fed directly into iron, I don't see the harm in that. These tools are designed to be used by people who fully understand the security properties of the protocol. Iron usage of password makes sense for the many other use cases it is used for. |
So was oAuth2 @hueniverse (-; |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
You asked for questions in issue form, so here is one: Iron is based in deriving keys formencryption and authentication from a password with PBKDF. By default it uses a low iteration count.
I wonder why allow passwords at all. In a similar system I am using (hex encoded) completely random keys (and a tool to generate them together with a random Id). I derive the actual encryption keys with HKDF since I am sure there is no entropy problem with non-humanly chosen secrets.
The text was updated successfully, but these errors were encountered: