Steve Thomas
Steve Thomas
LibreSSL's `getentropy_urandom()` calls `gotdata()` which checks if the data is not all zeros. If you are calling this for short random integers, then all zeros is a very possible random...
Signed char bug: $2y$ is using the correct code. The $2x$ (the old $2a$) extended the sign bit of a character on top of at most the 3 characters before...
Default settings of PBKDF2-SHA1 with output length of 66 bytes is bad. The way PBKDF2 works the defender is doing 4 times more work than an attacker. There should be...
You should order masks by efficiency (`occurrences/key_space`) because this will lead to the less guesses to crack passwords. Looking at the top 5: https://github.com/kaonashi-passwords/Kaonashi/blob/5239bd333ed34993b43126a4499606ba70086034/masks/kaonashi_masks_numbered.txt#L1-L5 And ordering just the 1000 in...
**Expected Behavior** `Pbkdf2PasswordEncoder` should not let you generate a hash longer than the hash function. This should either return an error or reduce the output size to match the hash...
If you enter a long password it will take significantly longer. This runs in `O(pwLen * rounds)` time instead of in `O(pwLen + rounds)` time. Ideally you'd want to do...
Instead of using `table[1/2]` which is `t` use `tt` which is `t**2`.
You should be using a constant time base64 encode/decode. I'd suggest using: https://github.com/Sc00bz/ConstTimeEncoding
Remove * Basic.pm * RandomDotOrg.pm If for some reason you want to keep RandomDotOrg.pm you should fix https://github.com/bbusschots/hsxkpasswd/blob/f2fcccc4132ea04d42a79c8c5e7e77e15acfdf49/lib/Crypt/HSXKPasswd/RNG/RandomDotOrg.pm#L197-L198 ``` my $dec = $line/($RDO_MAX_INT+1); unless($dec >= 0 && $dec