undefined | Better HN

0 pointsnabla91y ago0 comments

The use case was KDF and they decided to do simple password hash signature hack instead by combining strings. They fucked it up.

0 comments

ludwik1y ago

Of course they fucked it up, as evidenced by their bad security incident. The only question is whether you can really chalk this particular one up to a problem with "rolling your own crypto." That mantra exists for a reason, but it doesn’t feel like it really applies this time. It seems more like they used established crypto—just not the right one for this particular use case.

nabla9OP1y ago

Concatenating strings before giving it to the hash function instead of using KFD is rolling your own.

j / k navigate · click thread line to collapse

0 pointsnabla91y ago0 comments

The use case was KDF and they decided to do simple password hash signature hack instead by combining strings. They fucked it up.

0 comments

ludwik1y ago

nabla9OP1y ago

Concatenating strings before giving it to the hash function instead of using KFD is rolling your own.

j / k navigate · click thread line to collapse