Technology

58417 readers

4735 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS

546

NIST proposes barring some of the most nonsensical password rules (arstechnica.com)

submitted 1 week ago by Amicitas@lemmy.world to c/technology@lemmy.world

179 comments fedilink hide all child comments

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

you are viewing a single comment's thread
view the rest of the comments

[–] Buddahriffic@lemmy.world 1 points 6 days ago

With the hash one, it doesn't look like that could be exploited by an attacker doing the bad hashing themselves, since any collisions they do find will only be relevant to the extra hashing they do on their end.

But that encryption one still sounds like it could be exploited by an attacker applying more encryption themselves. Though I'm assuming there's a public key the attacker has access to and if more layers of encryption make it easier to determine the associated private key, then just do that?

Though when you say they share the same secret, my assumption is that a public key for one algorithm doesn't map to the same private key as another algorithm, so wouldn't cracking one layer still be uncorrelated with cracking the other layers? Assuming it's not reusing a one time pad or something like that, so I guess context matters here.