What is the best way to securely keep clear passwords?
I'm working on a web project that will connect to a database. For that, I will have to store the login/password of that database user in clear (encrypted in a symmetrical way) in order to be able to...
View ArticlePHP crypt() trims the salt as it would be too long
I am using Blowfish with PHP crypt() for password hashing but I noticed something weird. Quoting PHP documentation:CRYPT_BLOWFISH - Blowfish hashing with a salt as follows: "$2a$","$2x$" or "$2y$", a...
View ArticlePreventing dictionary attacks against hashed passwords [duplicate]
Possible Duplicate:How to securely hash passwords?I have a website and on that website I use SHA-256 and salt my user's passwords. What I'm doing right now is padding each letter of the user's password...
View ArticleIn this example why do they hash a randomly generated piece of salt before...
From here, in the code return substr(sha1(mt_rand()),0,22); what is the point of taking the sha1 value? It is appended to the password and together they are hashed using Blowfish. Why not just append...
View ArticleIs mt_rand() suitable for generating a salt?
Assumed I have to following code in order to generate a random blowfish salt for saving a new password:$blowfishCharacters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';$salt =...
View ArticleHow difficult is it to crack salt portion of hash
I write mobile application and I need to authenticate users against server. Server's side is written in php. I can't use cookies to store SID (Session ID), so I decided to send it at every request...
View ArticleHow do you know if blowfish key is correct?
Encryption novice here so maybe this question makes no sense...Obviously if you know what the clear text is and it decrypts right, you have it. But if someone is running through keys to break the...
View ArticleClik here to view.
openssl blowfish key limited to 256 bits?
I get the following error if I give a key that is greater than 64 hex caracters (64*4=256 bits).According to this official document, blowfish is able to support key from 32 to 448 bits.Variable key...
View ArticleIs AES(Rijndael) faster than Blowfish?
I know theoretical that blowfish is much faster than aes. But I benchmarked several algorithms including aes and blowfish for 1MB, 5MB, 10MB etc. files in java 8 platform and bouncy castle library. In...
View ArticleBruteforcing blowfish
I am quite new to encryption and recently played around with blowfish (openssl's implemenation).I am using a 23 character password (case-sensitive alphanumeric random). I estimate the entropy to be...
View Article“Official statement” on php.net : CRYPT_BLOWFISH is strongest hash algorithm....
First: I asked this question on stackoverflow and was kindly asked to post this here again. See the original question here.According to the [early] doc pages of the new PHP 5.5 password...
View ArticleCan SSL using Blowfish cipher be considered strong enough?
I use OpenVPN to connect to a public VPN. Sometimes I connect from my college campus (it's fully open to alumni) and when this happens I can only use TCP SSL because the college network has a security...
View ArticleWhy are application/services still using outdated Blowfish encryption? Is it...
For example, CrashPlan, an online backup service, is using 448-bit Blowfish to encrypt its backup files (only enterprise product line has the ability to choose using AES-256). According to Blowfish's...
View ArticleIs bcrypt safe with the 64-bit block cipher birthday attack?
Recent research made it apparant that birthday attacks are now 'viable' on 64-bit block ciphers which Blowfish uses. (the paper in pdf)At work we use BCrypt for password hashing, as I was thought that...
View ArticleHow do I generate a blowfish password hash in Ubuntu?
What's the command line to generate a blowfish password hash? I can't seem to figure this out at all. Apache's htpasswd only supports bcrypt, and openssl passwd doesn't even do blowfish hahes (but it...
View ArticleOpenSSL 1.0.1t does not decrypt with -bf if encrypted with OpenSSL version...
I have encrypted a file with the same command line with two different openssl versions: 1.0.1t and 1.1.0e. Then I try to decode both with version 1.0.1t and I cannot decode the latter.Can you please...
View Articleopenssl speed tells me blowfish is much quicker than md5, what am I missing?
So I ran openssl speed md5 && openssl speed blowfish and blowfish seem quicker than md5.Here are the results (ran on windows WSL).$ openssl speed md5 && openssl speed blowfishDoing md5...
View ArticleMathematically, how long would it take to crack a bcrypt password hash?
So I'm currently using bcrypt to hash passwords with a randomly generated salt (as seen in the pip bcrypt module), with 12 rounds.I have been looking around, but I cannot find a detailed and clear...
View ArticleStrength Blowfish and DES with current quantic computing and mandating backdoors
What is the strength of algorithms such as DES (Rijndael) and Blowfishused in password manager Safe password, with the current development (2018) of quantum computing, the former parallel processing,...
View ArticleHow many rounds should be used to hash card numbers?
We want the ability for payments made without logging in using one of their saved payment methods to be associated with the saved payment method. E.g. if they buy a recurring subscription to magazine 1...
View ArticleWhy do most hashing functions produce hashes that have characters a-f 0-9?
This is something I never understood about hashing functions. I know that algorithms like whirlpool and blowfish both produce outputs that don't follow this pattern, but why is it that most do? Is it...
View ArticleIs multiple encryption a good idea?
I know that many encryption algorithms, while secure, have vulnerabilities.To reduce risks, would multiple encryption like thisBlowfish_CbC ( Rc2_OFB ( AES128_CBC (myfilecontent)))be a good idea?I know...
View ArticleExplain BCrypt like I'm 5
I know this is a little bit broad, but I'd like to understand the function of this algorithm by explaining like I'm 5. And I'd like to know the difference between BCrypt and blowfish, is it because...
View ArticleIs Blowfish validated against any standards?
OWASP ASVS 3.0 V7.7 states the following:Verify that cryptographic algorithms used by the application have been validated against FIPS 140-2 or an equivalent standard.Blowfish is not included in NISTs...
View ArticleIf the bitcoin network was cracking bcrypt, what cost factor would you use?
Since the best example of pooled resource to crack hashes is the bitcoin network, currently churning through 2.14 ExaHashes/s.I want to ask, if the resources of this network were pointed towards...
View ArticleWhy PHP password_hash does use blowfish intstead threefish?
I was wondering why PHP's hash_password function use blowfish instead of threefish. According to Bruce Schneier blowfish is outdated and He is recommending twofish or threefish. Is blowfish enough...
View ArticleHow to decrypt Blowfish Advanced CS encrypted file
Cleaning up my disk space, I found an encrypted file (*.bfa), which I encrypted with Blowfish Advanced CS (Version 2.13.00.002) about 15 years ago.I still have a copy of the original version of Bfacs,...
View ArticleWhy is Blowfish Cipher considered now "legacy" algorithm in OpenSSL?
I am not a security expert, so please forgive me if the question is too obvious. We have been working with Blowfish to encrypt some of our files. We recently updated our very old OpenSSL version from...
View Article
