Hacker News

7 Comments:
aurorabbit said 5 days ago:

On the topic of toy web crypto projects, here's mine: https://emojicrypt.com/

It offers scrypt + aes-gcm, encoded into 256 emoji; all the crypto is in https://github.com/aurorabbit/libemojicrypt/blob/master/prot... (I could have went without a subrepo, but in theory it makes non-web integration or alternate interfaces simple.)

It's based off of ricmoo's scrypt.js, pfrazee's base-emoji, and WebCrypto.

Output contains a header (with N/r parameters), salt, IV, and HMAC. Room for a dozen more protocol versions as well.

It's abandoned, looking for a loving home! Work for some new (and some unimplemented) features is laid out here: https://github.com/aurorabbit/emojicrypt.com/issues

camsjams said 5 days ago:

Nice! I made something similar to this: https://github.com/camsjams/mr-roboto

With a slight difference, it works 100% in the browser, you can use it here: https://camsjams.github.io/mr-roboto/

But you need to store the output somewhere safe.

maxlaumeister said 4 days ago:

Hey! I also made something similar to this (uses a password-derived key to create protected, self-contained HTML).

https://www.maxlaumeister.com/pagecrypt/

Mine was originally in-browser, but thanks to some contributors (Zoltán Gálli and Nial Francis) it has Python and PowerShell CLIs now.

I like your use of async to make sure the work stays off the main thread.

Tepix said 4 days ago:

It took way too long on my laptop (i5-6200U). With a decent random password (say, 14 letters), the search space will be very large. If a determined attacker (with a couple of GPUs) can attempt 100.000 passwords per second it will still be impossible to crack in an acceptable time.

If we assume that this determined attacker is calculating these hashes 100.000 faster than the average browser, it should be enough if the user has to wait for one second, not one minute.

On the other hand everyone has different security requirements so perhaps making it configurable is the best way to go proceed (with some recommendations).

PS according to https://github.com/analsec/hashcatbenchmark/blob/master/Nvid... a RTX 2080Ti can crack 750k WPA-EAPOL-PBKDF2 with 4096 rounds per second.

sowbug said 4 days ago:
eitland said 5 days ago:

This might take a moment it said but I think I waited two minutes with no result in sight.

bmsleight_ said 5 days ago:

Works, but takes a little while. Nice -useful