101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Server stats:

491
active users

#kdf

0 posts0 participants0 posts today
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@sophieschmieg" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>sophieschmieg</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@neilmadden" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>neilmadden</span></a></span> </p><p>IMO we need to stop coming up with algorithms to securely store "derivatives" of typically weak passwords, as</p><p> IT WILL FAIL.</p><p>From <a href="https://www.akkadia.org/drepper/SHA-crypt.txt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">akkadia.org/drepper/SHA-crypt.</span><span class="invisible">txt</span></a>:<br>❝<br>In addition, the produced output for [...] MD5 has a short length which makes it possible to construct rainbow tables.<br>❞</p><p>Please correct me if I'm wrong, but even in 2025 suggesting that a rainbow table is feasible for (lets cut a few bits for MD5 weaknesses) random numbers of 120 bits in length is BS (in order to create FUD).</p><p>If I'm right about that, the least bad thing to do is:</p><p>1) Everyone should use a password manager (pwmgr) because people simply do not have the ability to come up with a sufficiently strong password that is *unique for each account*, let alone for multiple accounts (sometimes hundreds), to remember them absolutely error-free, and to recall which password was chosen for which account.</p><p>Note: IMO password *reuse* currently is the biggest threat. Entering a reused password on a fake (phishing) website may have devastating consequences, because (when a password is reused for multiple accounts) chances are that ALL those accounts are compromised. Note that the complexity and uniqueness of the password are IRELLEVANT. And, what KDF is used on the server, is IRRELEVANT as well.</p><p>2) Let the pwngr generate a (cryptographically) random password, as long and with as much entropy as allowed by the server.</p><p>3) Use a strong master password and NEVER forget it (typical beginner failure).</p><p>4) Make sure the database is backed up in more than one place, and make a backup after each modification.</p><p>5) Make sure that the device the password mamager is used on, *never* gets compromised.</p><p>6) Double check that https:// is used. Better, make sure to use a browser that blocks http:// connections and warns you (Safari on iOS/iPadOS now supports "Not Secure Connection Warning"). In all browsers such a setting is OFF by default: ENABLE IT!</p><p>7) On a mobile device: use "Autofill". The OS then transfers the domain name (shown in the browser's address bar) to the pwmgr. If a matching domain name is *not found* in the pw database, assume that you're on a (fake) phishing website! In that case: DO NOT ATTEMPT TO LOG IN by looking up credentials yourself. Reasons for 7, two examples:<br>----<br> fake: circle-ci·com<br> real: circleci.com<br>----<br> fake: lîdl.be<br> real: lidl.be<br>----</p><p>If people would follow this advice (which is not just mine), even MD5 for storing a one-way derivative of the password on the server would be fine.</p><p>HOWEVER: don't use MD5 - because "never use MD5 for whatever" is easier to remember than "don't use MD5 if preimage attacks are possible".</p><p>P.S. I'm not a cryptographer (although I'm quite interested in the matter).</p><p><a href="https://infosec.exchange/tags/MD5" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MD5</span></a> <a href="https://infosec.exchange/tags/PasskeysStillSuck" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasskeysStillSuck</span></a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManager</span></a> <a href="https://infosec.exchange/tags/Autofill" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Autofill</span></a> <a href="https://infosec.exchange/tags/DomainName" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DomainName</span></a> <a href="https://infosec.exchange/tags/httpVShttps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>httpVShttps</span></a> <a href="https://infosec.exchange/tags/httpsVShttp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>httpsVShttp</span></a> <a href="https://infosec.exchange/tags/KDF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KDF</span></a> <a href="https://infosec.exchange/tags/Argon2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Argon2</span></a> <a href="https://infosec.exchange/tags/scrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scrypt</span></a> <a href="https://infosec.exchange/tags/bcrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bcrypt</span></a> <a href="https://infosec.exchange/tags/KeyDerivationFunction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KeyDerivationFunction</span></a> <a href="https://infosec.exchange/tags/OneWayDerivative" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OneWayDerivative</span></a> <a href="https://infosec.exchange/tags/HashFunction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HashFunction</span></a> <a href="https://infosec.exchange/tags/Cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Cryptography</span></a> <a href="https://infosec.exchange/tags/CryptographicHashFunction" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CryptographicHashFunction</span></a></p>
vitalis<span class="h-card"><a class="u-url mention" href="https://a.gup.pe/u/hema" rel="nofollow noopener" target="_blank">@<span>hema</span></a></span> <a class="hashtag" href="https://dirtyknight.life/tag/hema" rel="nofollow noopener" target="_blank">#HEMA</a> <a class="hashtag" href="https://dirtyknight.life/tag/kdf" rel="nofollow noopener" target="_blank">#KdF</a> <a class="hashtag" href="https://dirtyknight.life/tag/longsword" rel="nofollow noopener" target="_blank">#longsword</a>
Scott Arciszewski<p><a href="https://scottarc.blog/2024/06/04/attacking-nist-sp-800-108/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">scottarc.blog/2024/06/04/attac</span><span class="invisible">king-nist-sp-800-108/</span></a></p><p><a href="https://infosec.exchange/tags/NIST" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NIST</span></a> <a href="https://infosec.exchange/tags/crypto" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>crypto</span></a> <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptography</span></a> <a href="https://infosec.exchange/tags/kdf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kdf</span></a> <a href="https://infosec.exchange/tags/prf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>prf</span></a> <a href="https://infosec.exchange/tags/secuity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>secuity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>
Heiko<p>I'm excited to announce the release of oct v0.11.0 🚀️</p><p>oct is a tool for inspecting, configuring and using <a href="https://fosstodon.org/tags/OpenPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenPGP</span></a> cards 🔒 (<a href="https://crates.io/crates/openpgp-card-tools" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">crates.io/crates/openpgp-card-</span><span class="invisible">tools</span></a>)</p><p>oct can now set up cards in <a href="https://fosstodon.org/tags/KDF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KDF</span></a> mode, the text output format was improved for readability, and some minor bugs were fixed.</p><p>Finally, version 0.11.0 uses <a href="https://fosstodon.org/tags/rPGP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rPGP</span></a>, a pure <a href="https://fosstodon.org/tags/Rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Rust</span></a> OpenPGP library 🦀.<br>As a result, the binary on <a href="https://fosstodon.org/tags/Linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Linux</span></a> links to four fewer dynamic libraries, while at the same time being 10% smaller.</p><p><a href="https://fosstodon.org/tags/RustLang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RustLang</span></a> <a href="https://fosstodon.org/tags/GnuPG" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GnuPG</span></a> <a href="https://fosstodon.org/tags/gpg" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gpg</span></a> <a href="https://fosstodon.org/tags/Nitrokey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Nitrokey</span></a> <a href="https://fosstodon.org/tags/YubiKey" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>YubiKey</span></a></p>
Nicolas Fränkel 🇺🇦🇬🇪<p>What Are Key Derivation Functions?</p><p><a href="https://www.baeldung.com/cs/kdf-cryptography" rel="nofollow noopener" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">baeldung.com/cs/kdf-cryptograp</span><span class="invisible">hy</span></a></p><p><a href="https://mastodon.top/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptography</span></a> <a href="https://mastodon.top/tags/KDF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KDF</span></a></p>
Jeremi M Gosney :verified:<p>Many of you have been asking for my thoughts on the <a href="https://infosec.exchange/tags/LastPass" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LastPass</span></a> breach, and I apologize that I'm a couple days late delivering. </p><p>Apart from all of the other commentary out there, here's what you need to know from a <a href="https://infosec.exchange/tags/password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>password</span></a> cracker's perspective!</p><p>Your vault is encrypted with <a href="https://infosec.exchange/tags/AES256" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AES256</span></a> using a key that is derived from your master password, which is hashed using a minimum of 100,100 rounds of PBKDF2-HMAC-SHA256 (can be configured to use more rounds, but most people don't). <a href="https://infosec.exchange/tags/PBKDF2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PBKDF2</span></a> is the minimum acceptable standard in key derivation functions (KDFs); it is compute-hard only and fits entirely within registers, so it is highly amenable to acceleration. However, it is the only <a href="https://infosec.exchange/tags/KDF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KDF</span></a> that is FIPS/NIST approved, so it's the best (or only) KDF available to many applications. So while there are LOTS of things wrong with LastPass, key derivation isn't necessarily one of them.</p><p>Using <a href="https://infosec.exchange/tags/Hashcat" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Hashcat</span></a> with the top-of-the-line RTX 4090, you can crack PBKDF2-HMAC-SHA256 with 100,100 rounds at about 88 KH/s. At this speed an attacker could test ~7.6 billion passwords per day, which may sound like a lot, but it really isn't. By comparison, the same GPU can test Windows NT hashes at a rate of 288.5 GH/s, or ~25 quadrillion passwords per day. So while LastPass's hashing is nearly two orders of magnitude faster than the &lt; 10 KH/s that I recommend, it's still more than 3 million times slower than cracking Windows/Active Directory passwords. In practice, it would take you about 3.25 hours to run through rockyou.txt + best64.rule, and a little under two months to exhaust rockyou.txt + rockyou-30000.rule. </p><p>Keep in mind these are the speeds for cracking a single vault; for an attacker to achieve this speed, they would have to single out your vault and dedicate their resources to cracking only your vault. If they're trying 1,000 vaults simultaneously, the speed would drop to just 88 H/s. With 1 million vaults, the speed drops to an abysmal 0.088 H/s, or 11.4 seconds to test just one password. Practically speaking, what this means is the attackers will target four groups of users:</p><p>1. users for which they have previously-compromised passwords (password reuse, credential stuffing)<br>2. users with laughably weak master passwords (think top20k)<br>3. users they can phish<br>4. high value targets (celebs, .gov, .mil, fortune 100)</p><p>If you are not in this list / you don't get phished, then it is highly unlikely your vault will be targeted. And due to the fairly expensive KDF, even passwords of moderate complexity should be safe.</p><p>I've seen several people recommend changing your master password as a mitigation for this breach. While changing your master password will help mitigate future breaches should you continue to use LastPass (you shouldn't), it does literally nothing to mitigate this current breach. The attacker has your vault, which was encrypted using a key derived from your master password. That's done, that's in the past. Changing your password will re-encrypt your vault with the new password, but of course it won't re-encrypt the copy of the vault the attacker has with your new password. That would be impossible unless you somehow had access to the attacker's copy of the vault, which if you do, please let me know? </p><p>A proper mitigation would be to migrate to <a href="https://infosec.exchange/tags/Bitwarden" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Bitwarden</span></a> or <a href="https://infosec.exchange/tags/1Password" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>1Password</span></a>, change the passwords for each of your accounts as you migrate over, and also review the MFA status of each of your accounts as well. The perfect way to spend your holiday vacation! Start the new year fresh with proper password hygiene.</p><p>For more password insights like this, give me a follow!</p>
Diniz Cabreira<p>E aí estamos!<br>Aos poucos, com as necessárias medidas de segurança e o duplo de máscaras das habituais, sem corpo a corpo... Mas retornando passeninho à atividade. :) </p><p>Arte do Combate é uma escola de artes marciais que estuda técnicas do final da Idade Média. Aprende mais acerca de nós: <a href="http://artedocombate.gal/" rel="nofollow noopener" target="_blank"><span class="invisible">http://</span><span class="">artedocombate.gal/</span><span class="invisible"></span></a></p><p><a href="https://masto.donte.com.br/tags/HEMA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HEMA</span></a> <a href="https://masto.donte.com.br/tags/KunstDesFechtens" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KunstDesFechtens</span></a> <a href="https://masto.donte.com.br/tags/fencing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fencing</span></a> <a href="https://masto.donte.com.br/tags/medieval" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>medieval</span></a> <a href="https://masto.donte.com.br/tags/martialarts" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>martialarts</span></a> <a href="https://masto.donte.com.br/tags/artesmarciais" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>artesmarciais</span></a> <a href="https://masto.donte.com.br/tags/artesmarciales" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>artesmarciales</span></a> <a href="https://masto.donte.com.br/tags/esgrima" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>esgrima</span></a> <a href="https://masto.donte.com.br/tags/galiza" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>galiza</span></a> <a href="https://masto.donte.com.br/tags/galicia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>galicia</span></a> <a href="https://masto.donte.com.br/tags/history" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>history</span></a> <a href="https://masto.donte.com.br/tags/historia" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>historia</span></a> <a href="https://masto.donte.com.br/tags/KdF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KdF</span></a> <a href="https://masto.donte.com.br/tags/combate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>combate</span></a> <a href="https://masto.donte.com.br/tags/sword" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>sword</span></a> <a href="https://masto.donte.com.br/tags/swords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swords</span></a> <a href="https://masto.donte.com.br/tags/swordmanship" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swordmanship</span></a></p>
Diniz Cabreira<p>What is <a href="https://masto.donte.com.br/tags/hema" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HEMA</span></a>?<br>5/6</p><p>But it's not all <a href="https://masto.donte.com.br/tags/kdf" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KdF</span></a>. There were others like <a href="https://masto.donte.com.br/tags/fiore" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Fiore</span></a> de'i Liberi, who wrote the <a href="https://masto.donte.com.br/tags/flosduellatorum" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FlosDuellatorum</span></a> (<a href="https://masto.donte.com.br/tags/flowerofbattle" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FlowerOfBattle</span></a>), where he explores basically the same weapons, but with a different style. </p><p>In the following centuries we have a bunchload of treatises: <a href="https://masto.donte.com.br/tags/saber" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>saber</span></a> and <a href="https://masto.donte.com.br/tags/smallsword" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>smallsword</span></a> from the napoleonic era, <a href="https://masto.donte.com.br/tags/staff" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>staff</span></a> and pole weapon systems from the late middle ages, <a href="https://masto.donte.com.br/tags/rapier" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rapier</span></a> from the Iberian and Italian, <a href="https://masto.donte.com.br/tags/boxing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>boxing</span></a> and <a href="https://masto.donte.com.br/tags/bartitsu" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bartitsu</span></a> from the late victorian Britain... take your pick.</p>
Continued thread

What is #HEMA?
4/6

#Liechtenauer's disciples and associates extendeded the art to different weapons: Ott Jud taught #wrestling (#Ringen); Lekuchner the one-handed knife-sword #LangesMesser (or just #Messer); others focused on #dagger (#degen)...

#KdF would thrive for over 300 years, outgrowing its usefulness and turning into sport before becoming defintiely extint in the XVIII century. But thanks to the treatises these masters wrote, today we can reconstruct them!

Continued thread

What is #HEMA?
3/6

I study the teachings of the XIV century fight master Johannes #Liechtenauer . These are usually called #KunstDesFechtens (#KdF, the «art of combat»).

He composed a poem, called the #Zettel, which describes «with secret and hidden words» techniques and advice on fighting with the two-handed #sword (#longsword), in (#Harnischfechten) and out of armour (#Bloßfechten), and also on #horse (#Roßfechten) with the #spear.

(Yes, that's me, teaching. I'm a #showoff , I know.)