If so, I'd like to add my 6 mBTC to it!
This is a unique kind of question in relation to bitcoin. As far as my knowledge is concerned there are no such thing as a database for inaccessible bitcoins since we cannot monitor those inaccessible bitcoins. Also people who have inaccessible bitcoins does not report it and if they report it there is no one who are taking notes on it and compiling them. That's correct. There is no way to know if somebody own the private key that has to be used to spend an unspent output. Offcourse, there are a couple addresses known that have been used to "burn" bitcoins, for example: https://blockchain.info/address/1BitcoinEaterAddressDontSendf59kuEIt's not because an unspent output hasn't been spent for years and years that it's automatically "inaccesible". It might also be a cold storage address. |
|
|
|
Am I being naive here, but surely if you run a node at home, your isp will see the packets, and know that you have a Bitcoin node running. He probably won't care though. In my opinion if you want complete privacy, then you need to go public, and use a variety of public WiFi services.
Your isp won't be able to analyse your traffic if you run your node as a hidden service or over a VPN... Sure, he'll be able to monitor your bandwith usage, but that's about all |
|
|
|
Why use this?
The problem is that when a hacker gets your text file containing your PK then he can use it but if you encrypt it then he will only see a jumbled and unreadable characters in the file and the only way to decrypt it is using a password and the key so are more way safe.
why not just use (or implement) BIP38 encryption? if someone used your program, he will be very dependent on your program but by utilizing standard BIP38 encryption, this will help user acceptance and assurance on future support and help +1 An IF you REALLY do not want to use bip38 encryption, i'd rather just encrypt my private key using openssl (but my primary choice would be Thirdspace's suggestion: bip38 encryption): echo "my private key" | openssl enc -aes-256-cbc -a
and to decrypt echo "encrypted private key" | openssl enc -aes-256-cbc -a -d
you can even pick the cypher type you want to use... For example: -aes-128-cbc -aes-128-cbc-hmac-sha1 -aes-128-cbc-hmac-sha256
-aes-128-ccm -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ctr -aes-128-ecb
-aes-128-gcm -aes-128-ofb -aes-128-xts
-aes-192-cbc -aes-192-ccm -aes-192-cfb
-aes-192-cfb1 -aes-192-cfb8 -aes-192-ctr
-aes-192-ecb -aes-192-gcm -aes-192-ofb
-aes-256-cbc -aes-256-cbc-hmac-sha1 -aes-256-cbc-hmac-sha256
-aes-256-ccm -aes-256-cfb -aes-256-cfb1
-aes-256-cfb8 -aes-256-ctr -aes-256-ecb
-aes-256-gcm -aes-256-ofb -aes-256-xts
-aes128 -aes192 -aes256
-bf -bf-cbc -bf-cfb
-bf-ecb -bf-ofb -blowfish
-camellia-128-cbc -camellia-128-cfb -camellia-128-cfb1
-camellia-128-cfb8 -camellia-128-ecb -camellia-128-ofb
-camellia-192-cbc -camellia-192-cfb -camellia-192-cfb1
-camellia-192-cfb8 -camellia-192-ecb -camellia-192-ofb
-camellia-256-cbc -camellia-256-cfb -camellia-256-cfb1
-camellia-256-cfb8 -camellia-256-ecb -camellia-256-ofb
-camellia128 -camellia192 -camellia256
-cast -cast-cbc -cast5-cbc
-cast5-cfb -cast5-ecb -cast5-ofb
-des -des-cbc -des-cfb
-des-cfb1 -des-cfb8 -des-ecb
-des-ede -des-ede-cbc -des-ede-cfb
-des-ede-ofb -des-ede3 -des-ede3-cbc
-des-ede3-cfb -des-ede3-cfb1 -des-ede3-cfb8
-des-ede3-ofb -des-ofb -des3
-desx -desx-cbc -id-aes128-CCM
-id-aes128-GCM -id-aes128-wrap -id-aes192-CCM
-id-aes192-GCM -id-aes192-wrap -id-aes256-CCM
-id-aes256-GCM -id-aes256-wrap -id-smime-alg-CMS3DESwrap
-rc2 -rc2-40-cbc -rc2-64-cbc
-rc2-cbc -rc2-cfb -rc2-ecb
-rc2-ofb -rc4 -rc4-40
-rc4-hmac-md5 -seed -seed-cbc
-seed-cfb -seed-ecb -seed-ofb
|
|
|
|
Altough i do have questions about why you'd want to hide your node, here's a how-to on how to run your node as a hidden service on tor: https://en.bitcoin.it/wiki/Setting_up_a_Tor_hidden_serviceBut like achow101 and bob123 already explained: usually, there is no good reason to do this... Ip's are not recorded on the blockchain. If you create a new transaction and broadcast it trough your node, your peer will not know wether you created that transaction, or merely broadcasted somebody else's transaction... |
|
|
|
|
The best way to avoid a copy/paste virus is not to download "risky" executables on the same machine you use to create transactions/store wallets. Also: keep away from risky websites. I mean, if you're browsing the web visiting illegal download sites, download pirated programs, download software from people you don't trust,... you shouldn't be supprised if your pc became infected sooner or later...
I prefer to run linux, don't use the root user unless absolutely necessary, only download binaries from my trusted repos, run clamav on all packages i download (even from trusted sources), make sure my firewall is properly configured and make sure i update my packages regularly.
So far, i haven't had a single virus on my machine (ever).
|
|
|
|
--snip-- You now have me worried! I have 3 paper wallets for different coins. I did not go through all those steps with a clean, offline pc  Well, the clean, offline clean PC and rebooting it afterwards is to make sure that: - nobody is able to see your screen... For example, if you're using a corporate PC, things like VNC can be installed and somebody can be looking at your screen without your knowledge
- no trojan/virus/spyware/... potentially running in the background is able to send data to an attacker (data including screencaps, content of the clipboard, wallet files,...
- rebooting is because you want to make sure your private key, seed or passphrase are defenatly no longer stored in your PC's/printer's memory
So, yeah, i'd defenatly recommand running a paper wallet generator on an offline PC. The odds of exposing your private keys are very small, even if you're running on an online machine, but the purpose of a paper wallet is to store a lot of value for a long time in a very secure manner. So, if you generate a paper wallet without all the necessary precautions, imho you could have just used a desktop wallet... Much easyer to spend funds, new addresses for every transaction, change addresses, added functionality like the ability to sign messages without having to mess with the private key,... Basically, as soon as your private key touches an online machine, it's no longer to be considered "as safe as humanly possible". The odds of it being compromised are small, but they still exist. If you don't store a lot of value on those paper keys of yours, i wouldn't worry to much. If you store a significant amount of value, you can always generate a new paper wallet following the proper procedure, then sweep your old wallet and use the funds to fund the properly generated wallet... no biggie... |
|
|
|
Fold the paper in half width wise sharpen the crease in the left side of button narrow edge together
^^ @Catwoman13: I have no idear what you are saying... It just looks like a random bunch of words to me...^^ @OP: one important thing that hasn't already been mentioned: do not forget to use bip38 encryption! Also i don't think it has been stressed enough that you should really download bitaddress's sourcecode and run it on a clean, offline machine (it has been mentioned by other posters, but i really feel they didn't put the necessary emphasis on this fact)... Print it on a printer that isn't connected to your network and reboot both your pc and your printer once you're done... Also, make sure to securely wipe any transfer medium used to transfer the paper wallet to your printer (just deleting the pdf or png is not sufficient, neither is fast formatting) |
|
|
|
--snip--
I use the blockchain wallet.
I never use an online wallet (i think they're inherently unsafe), but pooya87 is correct, you should be able to use the recovery seed to derive all private keys for all addresses that'll ever be generated by your wallet (both keys whose addresses were already funded, and keys that have yet to be generated). BUT... Like i said: if your ONLY goal is to tag your address on blockchain.info, there is no need to export your private keys! The only things necessary for tagging an address on blockchain.info is: the address, your tag and a signed message.
AFAIK, blockchain.info's wallet allows you to sign messages directly from their gui... No need to perform the potentially dangerous export of your private keys...EDIT: seems like i was wrong: blockchain.info only allows you to sign messages with imported keys, not with keys generated by their HD wallet  So, in the end, i guess you will have to export your private keys (or generate your xprv and import that into electrum).... Personally, i wouldn't bother... Why risking exposing your private key so your name will pop up on one single website... Doesn't seem like a good deal to me... Want my advice? Forget about tagging your address on blockchain.info. Unless you're a big company that will heavily rely on this address for message signing, there is no need to tag an address... As a matter of fact, it's rather contraproductive if you want some pseudo-anonimity. My second advice would be to download a proper wallet on a clean pc, encrypt the wallet, make a proper backup of the encrypted wallet (or write down the seed and store it in a secure place). Afterwards move your funds from blockchain.info to the proper wallet... |
|
|
|
THANK YOU TOO MUCH TO EVERYONE TO ANSWER...
Well, too much people here know how to do the first doubt "how to name your public key". But as I didnīt know it was that it needed the private key. As I didnīt know it and now that I know it. So Please help (us) me to how to get the private key. To be more specific and for people donīt think I want to steal btc from others, what I need is, How can I get the private key of my own public key wallet?
Usually it's pretty simple... Which wallet are you using to generate addresses? Most wallets allow you to export private keys, or you can use the recovery seed to generate the xprv, which you can use to derive pk's. BTW: most wallets also allow you to sign messages directly... So if the only reason why you want the pk is so you can tag your address on blockchain.info, there is usually no need to export your keys (it's usually a bad idear to export private keys) |
|
|
|
The first time I heard about Ledger Nano S wallet! How much money Ledger Nano S wallet ?
Check it here: https://www.ledgerwallet.com/products/ledger-nano-sBuy from this official site only. Buying from ebay involves some extra risk. There were some cases of stealing funds in the past so I don't recommend buying it somewhere other than official website. Every wallet has its advantages and disadvantages. If you use a nano s ledger wallet, it will keep you away from hackers, but it's a downside if you lose everything when you lose or get stolen your wallet. Not if you set your wallet up in a correct way... The ledger nano S even comes with a recovery sheet where you can write down the 24 seed words.... If you lose your ledger, but still have this seed written down, you can either buy a new ledger and use the seed to restore your wallet, you can use a compatible desktop wallet (but lose the extra security since your wallet seed words now touched an online machine) or you can use one of the many tools to calculate the xprv and derive the private keys directly. If your wallet gets stolen, the thief has 3 chances to unlock your wallet, after which it'll be erased automatically... A while ago, i've read that somebody was able to recover his wallet after he lost the seed and forgot the pin, but it took a long time and a lot of effort. If your hardware wallet gets stolen, and you immediately use the seed to recover your wallet using, for example, electrum, then empty out your wallet by funding an address generated by an uncompromised wallet, you should be fine. Ofcourse, the seed words also come with a downside: if somebody gets his hands on your recovery sheet, he can empty out your wallet in a matter of minutes... But even then, tools like safe deposit boxes, encryption,... can reduce this risk to a great extent. |
|
|
|
--snip-- The steps for a newbie about how to get the private key of your public key.  There must be some confusion here... If you have a private key, you can use it to calculate your public key. Once you have your public key, you can hash it. The hash of the public key is commonly known as the address. There is no way to reverse the process. In other words, starting from an address, the only way to know the public key is to look at a transaction spending an unspent output that funded that address. This transaction also broadcasted the public key belonging to that address (otherwise the nodes could not verify the signature). If you generate a new address and fund it, but never use those unspent outputs (in other words: never spend from that address), nobody will ever know your public key either. Starting from a public key, there is no way to find the private key, unless you bruteforce the complete keyspace, which is close to impossible... What a program like vanitygen does is iterate trough thousands of private keys per second, calculate their public key, hash this public key and see if the resulting address matches the desired pattern. A "normal" wallet either generates a completely random private key, or it derives it's private key from a master private key. This results in "random"-looking (non-vanity) addresses. None of this actually matters in regard to your original question, which was already answered by franky1. Those "naming"-tags you see next to Theymos's address are just tags entered on the private blockchain explorer blockchain.info. They are just kept in their private database, not stored in the public ledger. If blockchain.info ever deletes it's database, all those tags are gone... If blockchain.info ever delete it's nodes, not much will happen, since the complete blockchain is stored by hundreds of nodes. |
|
|
|
vanity gen is for when you want to create an address such as 1elect..... tags is a option on blockchain.info to tag an address. for when some one looks at the adress on blockchain.info https://blockchain.info/tagsDo you know how to get the private key securely? What do you mean, "get the private key securely?". Just use a decent wallet on a clean computer (or even better: a hardware wallet), it'll generate your private keys for you in a secure way.. If you want a private keys whose public key hash results in a vanity address (an address starting with, or containing a certain sequence of desirable characters), franky1 already answered your question: vanitygen https://en.bitcoin.it/wiki/Vanitygen |
|
|
|
I am 100% of the thought process that you just shared and I am not into any development and/or creating any group.
Being with the experience in the field, My aim is rather to understand how the groups currently working and advertising in this field doing so. Do they really think this is achievable(what is being promised), if so what is the process?
*disclaimer*: the following text reflects my personal beliefs, they talk about my gut feeling, so the following text should in no way be interpreted as an official statementI personally believe that the altcoin/bounty subforums is filled with scams... Just pump and dumps, quick scams or worthless shitcoins. I guess a maximum of 10% of the announced projects in these subforums have some sort of legitimacy (at least, i belief a maximum of 10% of the announced tokens start with good intentions), and only a very few of those 10% actually result in a project that does what's promised. The other projects are just some get-rich-quick schemes, or just script kiddies trying to clone some coins in order to get famous. As soon as i see a token/altcoin announcement talking about a serious subject in combination with the word ICO, bounty, campaign,... I just stop reading... It's not worth my time. These scammers usually just pick a subject, any subject, create a colorfull ANN thread with a mock whitepaper, clone a clonecoin and try to scam the community by releasing an ICO, and try to draw community members into their madness by promising stakes of their scamcoin if they promote the hell out of it. As far as i'm concerned, i haven't seen any believable project that combines medical data storage with a believable token... But like i said: i have an extremely short attention span when it comes to new altcoins. As soon as something (anything) seems off to me, i just walk away... It's not worth my time. |
|
|
|
Thanks, This is what i am trying to understand. Is it really so simple to utilize the blockchain in healthcare specially for the patient data. Are there complexities which either are already taken care of or are not yet understood and not even talked about.
Also considering that this data will be global and each country has different regulations, which would be considered?
Hoping to understand this is due course of this discussion and looking forward for some experts in this field to shed lights on how this is being done currently.
Well, like i said: it's a dual answer. Easy technically: sure, just find a competent dev and he'll be able to create a blockchain in a matter of weeks Easy legally: nope, not by a longshot... In a lot of developed countries, the medical secret outweighs even some legal affairs. Just do the exercise without thinking about blockchain technology... Just imagine if you were uploading data onto a medium like facebook, redit, twitter but you only had an account that was able to post data, but doesn't have the authority to edit or delete data... Which patient data would you be willing to upload? My initial reaction would be: none... Not even with a signed informed consent from the patient, Not even the initials of your patients, Not even the internal database's private keys (which would be utterly useless without a complete data breach of your hospital),... Being from the EU myself, i can safely say that even within the EU there would be hardly any data you could ever upload without getting into ethical or legal problems. I mean: at the time i was working in the healthcare field, there were a couple of EU countries that had a law that forbid any patient data to leave the country. You could not rent secure data storage in the US and store encrypted backups of your patient data abroad without opening yourself up to a lot of lawsuits. I think if you're really going to continue with this plan, it might be best to contact an international law firm with experience in the healthcare business in order to assist you... Nobody on this forum (not even the ones like me, with IT healthcare experience) will be able to give you any foolproof advice. |
|
|
|
I have worked in the healtcare industry myself for about 8 years in the past (i'm currently not working in the healthcare industry anymore), i do think you're touching a very delicate subject. In the past, there were some really tough laws in place to protect patients data, and recently the laws seems to have gotten a lot tougher. I remember having to encrypt all data that was being sent to the governement, upload it to a sftp whose keys were exchanged in person, then send the encryption key on a dvd via snail mail, and the password to unlock the key via text message, and the hash of the encrypted data in a signed letter to a different instance... I just wanted to point out that even in the past, the security measures with patient data were rather paranoid The problem is that a blockchain is a public, immutable, trustless, decentralised ledger. Anything data you include in a block is there to stay. - What if the patient changes his mind? There is no way to "erase" his data
- What if data that is considered harmless at this point in time, becomes something of great intrest/value to for example insurance companies (for example, at this moment in time, you think it might be a good idear to record your pollen alergy into a blockchain, but in 50 years pollen alergies get linked to a specific type of terminal iless and an isurance company decides to double the premiums for everybody having a pollen alergy based on this data
- I've also heared some companies saying that anonimising the patient's data is the sollution, but what if the key gets leaked? What if one of the hospital's databases gets breached and a hacker is able to link each anonymous key to a real life person?
I'm not saying it's a bad idear, i just think a person who wants to develop such a blockchain should do their homework and think about as many attack vectors as humanly possible before writing a single line of code. |
|
|
|
I think that instead of online wallets the offline ones are a lot safer though the process is a long one of getting registered and bejng able to buy and sell your Bitcoins but it's worth it for the added safety ..
The hardware wallets ar just too much for the ones who are holding just a little amount and.. it's only beneficial for the ones who have huge sum to save.
When we talk about security then one should check out wallets with segWit support like samourai ' .
Hmm... You don't need to register an offline wallet. Also, AFAIK, there is no link between extra security and segwit support (correct me if i'm wrong tough). I think nowadays the best place and proven safest to store bitcoin you have is only in blockchain.com because there it is directly stored in place that use to menyimapn and bitcoin transactions.
I've repeated this soooo many times blockchain.info and blockchain.com = private company blockchain = technology for a decentral, trustless, immutable datastore on which bitcoin is built blockchain.info/.com != the blockchainblockchain.com/info is just using the blockchain name, they are not the inventors of the blockchain technology. They did not write the whitepaper, they are not the only ones that store the complete blockchain (that's why it's called decentral), they have no power to change anything without consensus, they do not have the power to modify transactions in the chain, they do not support anything but their own apps,... blockchain.info is an online wallet. Eventough it's one of the safer ONLINE wallets, it's still an online wallet thus inherently unsafer than a truely vetted desktop wallet/hardware wallet/offline wallet/paper wallet. |
|
|
|
--snip--
You're right, Hacker is the one of problem in Crypto world. And it's can be happened if we save our money in online wallet. So I offline wallet, hardware wallet, and paper wallet are best option to keep your money safe.
Real hackers (in the classical sense) are only a small part of the problem of online wallets. It all starts with the fact that when you use an online wallet, you're usually not the only one in controll of your private keys (sometimes you don't even have access to the private keys at all). You depend completely on the exchange or online wallet to handle all your needs (generating new private keys => public keys => addresses; safely storing those keys; managing your contacts; managing unspent outputs; generating and signing transactions; broadcasting; signing messages;...). If the online wallet goes bancrupt => best case scenario you're able to restore your wallet somewhere else, worst case scenario you lose everything If the online wallet doesn't support a certain feature => you're out of luck If the online wallet has a bug => you'll have to wait untill they fix it If you have a problem => the online wallet's support team will be the only ones that can help you, so you'll have to wait If the online wallet turns scam => you lose everything If the online wallet gets hacked => you lose everything If you get hacked/infected => you lose everything If the security scheme or RNG of the online wallet is bad => you lose everything If you fall for a phising link => you lose everything
If you use at least a half-decent wallet, most of the things above do not apply... You should be the only one in controll of your keys, you should be in controll of the software running on your system, you should be in controll of generating new addresses, signing, managing, broadcasting... Sure, things can still go wrong if you make mistakes, but at least they were YOUR mistakes, not the online wallets'. And IF things go wrong while you're using a decent wallet, at least the rest of the community *might* be able to help you fix things. |
|
|
|
If you want to secure your bitcoin there are two is one way s to keep safe it. 1. Online wallets.2.1. Hardware wallets. If you chose number one you have to take some steps for keep safe your bitcoin. 1. Take a very heard password. 2. Keep your password in a very secure place. 3. Don't save your password in online. 4. Activate two step authentication. 5. Don't share your password to any one. For your help give some trusted wallet links...
1. https://www.coinbase.com
2. https://www.coinpayments.net
3. https://www.blockchain.comIf you chose number two you have to pay some money for keep safe your bitcoin but i think this is better to keep your bitcoin in a hardware wallet. It is more safe then any online wallets... For your help i give some trusted hardware wallets link. 1. https://www.shiftcrypto.ch/2. https://www.ledgerwallet.com/3. https://opendime.com/4. https://trezor.io/5. https://tangem.com/So now its your choice that how to keep safe your bitcoin now.......😊😊😊😊😊 Your ever😊 Fixed that for you Offcourse, you forgot about airgapped cold wallets and paper wallets... They are as safe as a hardware wallet. Online wallets and exchanges do not belong in the same sentence as the word "safe", unless preceded by the word "not" |
|
|
|
--snip--
Hello, Mocacinno!
Thanks for your comment, I'll give you more detailed information about the encryption and the site. I believe that everything you said will not cause any problems for WhatPassword.
From your two models I'm using B.
I am using the Laravel framework 5.6 for source code structure and this guarantees me a great security against bugs that I myself could cause by creating the source code. About cryptography I'm using bcrypt that already comes included in the framework. Another security factor that I have not yet created but I have already foreseen is the creation of device to send multiple emails and sms when a person requests your password, however only 1 of these are true and the other fakes. So for the hacker to try to know which one is true, it will cost more time and make it almost impossible to do everything in 1 minute.
The passwords in the database are also destroyed after that time, so it does not matter if he hacks the database, it will only have passwords valid for less than 1 minute.
I hope you have explained it clearly. hug
I'm glad to hear you hash your passwords instead of encrypting them, i really was under the impression you were using encryption instead of hashing... You'd be supprised how many times i had arguments with developers about this subject, for some strange reason a lot of devs seems to prefer to put plaintext passwords in databases instead of using a proper hashing algos... A lot of them don't think they'll ever be a victim of a hacker attack, or they simply overestimate their own talent, or underestimate an evildoer... Good luck with your project |
|
|
|
--snip--
Hello Friend! The text must have gotten a bit confusing, because it is actually the encrypted password entered in the database and then it will only be decrypted if it has the 5 parts together. Even if a hacker invades the database will not be a risk, because he needs to join the 5 parts in 1 minute and still access the database.
I've been writing web applications for my employer for quite a while... I'm not a good scripter/programmer and defenatly a bad designer, but i do know a thing or two about security... Things i've picked up over the years Let's review 2 situations from a malicious person's view: Situation A: You store your passwords, chopped in 5 pieces and encrypted into a database- Would it be imaginable you wrote a single bug somewhere in either your code or your webpages? An attack vector you didn't think about? A misconfiguration of your apache/nginx/lighthttpd? A misconfiguration in your database installation? A weak OS/db password? An unpatched binary? If so, would it be unimaginable that the attacker could find a backdoor or a sql injection point that allowed him to dump your database, thus getting his hands on all 5 encrypted pieces of all passwords stored in your database?
- If the attacker got his hands on hundreds of chopped up passwords, would it be imaginable that he found the logic in how to decrypt your passwords? I mean, unless you encrypt the pieces using an offline machine, the passphrase or key *would* technically be hardcoded or stored in a database somewhere on an online machine, right? If the password or the logic wasn't stored online, how would you ever encrypt/decrypt the pieces yourself? The same attack vector as the one in step one *could* *potentially* be used to rip your sourcecode to look for the hardcoded password/password logic
- IF an attacker managed to get past the first 2 hurdles, would it be imaginable he could then execute the first step and apply what he learned in the second step and decrypt NEW passwords in a matter of seconds?
- Sure, this is a longshot, but if your service ever becomes *the next big thing*, you should be prepared for really smart evil people investing a lot of time into breaking your security model... So why not build it foolproof from the start?
Situation B: You store your passwords, not chopped but stored as a SALTED hash in your database (for example, bcrypt with a high cost)- Would it be imaginable you wrote a single bug somewhere in either your code or your webpages? An attack vector you didn't think about? A misconfiguration of your apache/nginx/lighthttpd? A misconfiguration in your database installation? A weak OS/db password? An unpatched binary? If so, would it be unimaginable that the attacker could find a backdoor or a sql injection point that allowed him to dump your database, thus getting his hands on the salted hash?
- Now here is where things get different: even if he dumps all passwords, he needs to brute force each and every one of those passwords starting from 0. Since you have long passwords, and they got salted during the encryption process, there is simply no way he'll ever be able to brute force a single password within any reasonable timeframe
In situation B it doesn't even matter if your complete sourcecode, password file and database dump ever get leaked... The attacker won't be able to use that information to decrypt the password hashes. As long as there are no rainbow tables for bcrypt passwords with a length of 23-25 characters are generated, your users will always be safe (hint: i don't think such rainbow tables will exist in our lifetime... It would require bcrypt asics and a corporate SAN to generate and store this data) And from a programming point of view: what's the difference between comparing two plaintext strings and two hashes? The only extra cost is that you have to hash the user's input twice... Costing you a couple processor cycles and maybe a couple miliseconds... Seems like a fair price to protect your users, doesn't it? |
|
|
|
|
Show Posts
