NIST proposes barring some of the most nonsensical password rules - eviltoast

Here is the text of the NIST sp800-63b Digital Identity Guidelines.

  • Buddahriffic@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    With the hash one, it doesn’t look like that could be exploited by an attacker doing the bad hashing themselves, since any collisions they do find will only be relevant to the extra hashing they do on their end.

    But that encryption one still sounds like it could be exploited by an attacker applying more encryption themselves. Though I’m assuming there’s a public key the attacker has access to and if more layers of encryption make it easier to determine the associated private key, then just do that?

    Though when you say they share the same secret, my assumption is that a public key for one algorithm doesn’t map to the same private key as another algorithm, so wouldn’t cracking one layer still be uncorrelated with cracking the other layers? Assuming it’s not reusing a one time pad or something like that, so I guess context matters here.