jcoglan
commented
9 years ago @sergeevabc Apologies for my delay in answering this, I have a huge backlog and needed to get my blog back online to answer this.
Have you read my article explaining the design of the algorithm, or any of the previous posts explaining the purpose of the project?
Dear James, I'm looking for the most reasonable implementation of online password hasher for the years ahead. Have found none so far, yet tried every related extension from Chrome Webstore along with Github projects.
For example, Saltthepass.com produces
x = Trim(Base64(SHA3(Master Password + Domain Name + Domain Phrase))), which means the developer oversimplifies proper theory behind hashing: “Password Hashing Competition”, “Storing passwords securely”, “Salted Password Hashing - Doing it Right”.Let's examine your solution. Questions and doubts arise as I see that PBKDF2 seems to be used without HMAC-SHA256 at least, number of rounds/iterations is neither clearly stated nor changeable, some UUID is hard-coded, relatively outdated CryptoJS is used instead of modern SLSJ, ASMCrypto or FastJS, and “max repetition” parameter is neither documented nor self-explanatory. (For example, Oneshallpass.com, which uses PBKDF2-HMAC-SHA512, is well-documented, but its front-end is cumbersome, alas.)
In the end, James, could you tell if Vault is going to be tighten up and how?