top | item 40085343

(no title)

hcta | 1 year ago

1. what you're describing as a "file" is really no different from a "password". I assume you're choosing to call it a "file" because you're picturing generating some huge blob, but a randomly generated password doesn't need to be very long to be effectively uncrackable, so I think you're proposing wasting time/bandwidth for no added security.

2. You should always "salt" stored password hashes. https://en.wikipedia.org/wiki/Salt_(cryptography)

3. I think you should look at resources like https://www.vice.com/en/article/wnx8nq/why-you-dont-roll-you... https://security.stackexchange.com/questions/18197/why-shoul... https://www.infosecinstitute.com/resources/cryptography/the-... to examine the arguments against trying to develop your own security schemes as someone with less experience in this space.

discuss

anbardoi|1 year ago

I appreciate the resources, I read each of them. The file is essentially no different from a password, but the major difference here is that I would not store the file on my server, nor the decryption keys. Only the sha256 checksum of the file. An attacker can do very little with a checksum associated with user data. I know this is a novel approach, but thats why I'm trying this on a project that is hardly sensitive as an anonymous blogging platform. If there are vulnerabilities, the data gained by an attacker would not even be very valuable.