From 3ea938e68770230491e9242c3dd88e859ff7a1e4 Mon Sep 17 00:00:00 2001 From: Chris Oei Date: Tue, 4 Sep 2012 08:26:15 -0700 Subject: [PATCH] Tweaked README.md --- README.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index d608781..9af6318 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,15 @@ -There are a number of password generators such as SuperGenPass, PwdHash, etc. -that generate a site-specific password from a master password and the site's -URL. An attacker who obtains your site-specific password and the site's URL -could attempt to determine your master password by brute-force. Typically, -these password generators work by simply concatenating your master password -with the site's URL and computing a cryptographic (SHA1 or MD5) hash. These -hashes were designed such that they could be calculated very quickly, which -the opposite of what we want. A more secure method would be to use PBKDF2 or -bcrypt or Colin Percival's new scrypt algorithm, which would make a brute-force -attack many orders of magnitude more difficult. +There are a number of password generators such as SuperGenPass, +PwdHash, etc. that generate a site-specific password from a master +password and the site's URL. An attacker who obtains your site-specific +password and the site's URL could attempt to determine your +master password by brute-force. Typically, these password generators +work by combining your master password with the site's URL and +computing a cryptographic (SHA1 or MD5) hash (perhaps using HMAC). +These hashes were designed such that they could be calculated very +quickly, which the opposite of what we want. A more secure method +would be to use PBKDF2 or bcrypt or Colin Percival's new scrypt +algorithm, which would make a brute-force attack many orders of +magnitude more difficult. This project uses Colin Percival's scrypt as a password generator.