Wednesday, October 31, 2018

If it's FIPS I sips

from here

Having recently become constrained by FIPS 140-2 compliance I found myself wondering "How am I supposed to hash passwords?". Then I wondered "How have other FIPS 140-2 compliant vendors been hashing passwords?" - and then I thought of the most obvious answer* and all the breaches of government systems seemed a lot less surprising.

(*Using a cryptographic hash instead of a password hash)