William Yager [ARCHIVE] on Nostr: 📅 Original date posted:2014-03-12 📝 Original message:On Wed, Mar 12, 2014 at ...
📅 Original date posted:2014-03-12
📝 Original message:On Wed, Mar 12, 2014 at 4:08 PM, Jean-Paul Kogelman <jeanpaulkogelman at me.com
> wrote:
>
> Agreed, this is a valid concern. This could possibly allow a 3rd party to
> crack the password, but then again, they would not gain access to any key
> material. So yes, you could expose your password, but your key would still
> be safe.
>
> If people feel strongly about this vulnerability, we can revisit step 4
> and adjust it to make password recovery more expensive.
>
>
Just to clarify on J.P.'s comments:
*If* you choose to outsource StrongH calculation, and *If* that machine is
compromised, then the security of your password is reduced to a single
round of salted PBKDF2-HMAC-SHA512. Your private key remains on the trusted
device, no matter what.
Regrettable, but not catastrophic.
Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140312/1929a5bc/attachment.html>
Published at
2023-06-07 15:15:17Event JSON
{
"id": "547efb87c6f0f4371a4339a16e85f9450073a70e5373f222de53b65e74265228",
"pubkey": "dac5021a7b00b2588f37695f479d6d47ad5dbacbb4f6beec1ddd295ae976e83c",
"created_at": 1686150917,
"kind": 1,
"tags": [
[
"e",
"e2b06c13dda090fd765a6fae17847c84821995c150a37c86a1dca89140911552",
"",
"root"
],
[
"e",
"57d2876e58b62a1df45edc8bf410431911b1b8677e6eccb5e689518474754d5e",
"",
"reply"
],
[
"p",
"874fa44d110b2119208ba6fb27607799f16a00c82143201ad7f179a89f0df349"
]
],
"content": "📅 Original date posted:2014-03-12\n📝 Original message:On Wed, Mar 12, 2014 at 4:08 PM, Jean-Paul Kogelman \u003cjeanpaulkogelman at me.com\n\u003e wrote:\n\n\u003e\n\u003e Agreed, this is a valid concern. This could possibly allow a 3rd party to\n\u003e crack the password, but then again, they would not gain access to any key\n\u003e material. So yes, you could expose your password, but your key would still\n\u003e be safe.\n\u003e\n\u003e If people feel strongly about this vulnerability, we can revisit step 4\n\u003e and adjust it to make password recovery more expensive.\n\u003e\n\u003e\nJust to clarify on J.P.'s comments:\n\n*If* you choose to outsource StrongH calculation, and *If* that machine is\ncompromised, then the security of your password is reduced to a single\nround of salted PBKDF2-HMAC-SHA512. Your private key remains on the trusted\ndevice, no matter what.\n\nRegrettable, but not catastrophic.\n\nWill\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140312/1929a5bc/attachment.html\u003e",
"sig": "579c54dce41791cf3d23eb647c7575fdfae0994aa1c0e9d0df54ac7d2770d4b7e037bf55722c175a2632c9e834b2d26744be08a6f73295f5bb5f81defb809159"
}