Private Home page
Note: For the procedures used at this site, a basic computer setup can check a billion passwords per second. You need
a password (or phrase) strength in the order of 56 bits to be a little secure (one year on a single computer). One of
the largest network in the world, Bitcoin mining, can check some 12 terahashes per second (June 2012). This
corresponds to checking 6 times 1012 passwords per second.
It would take a passwords strength of ~68 bits to keep the equivalent of
the Bitcoin computer network occupied for around a year before it found
An example whould be the phrase 'Sherlock investigates oleander curry in Bath'.
Your password might be vulnerable to brute force
guessing. Protections against such attacks are costly in
terms of code complexity, bugs, and execution time.
However, there is a very simple and secure counter measure. See the XKCD comic above. The phrase, There is no password like more password would be both much easier to remember, and still stronger than h4]D%@m:49 , at least before this phrase was pasted as an example on the Internet.
Please be so kind and add the name of your favorite flower, dish, fictional character, or small town to your password. Say, Oleander, Curry, Sherlock, or Bath, UK (each adds ~12 bits) or even the phrase Sherlock investigates oleander curry in Bath (adds > 56 bits, note that oleander is poisonous, so do not try this curry at home). That would be more effective than adding a thousand rounds of encryption. Typing long passwords without seeing what you are typing is problematic. So a button should be included to make password visible.
The Salt and Ticket values are all created using SHA256 on 64 Byte of output from /dev/urandom in HEX.
Example Login page for CGIscriptor.pl
Copyright © 2012 R.J.J.H. van Son
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.
PUB 180-2 as well as the corresponding HMAC implementation as defined in
FIPS PUB 198a
Version 1.3 Copyright Brian Turek 2008-2010 Distributed under the BSD License
See http://jssha.sourceforge.net/ for more information
Several functions taken from Paul Johnson