[messaging] Peerio

[Trevor Perrin]

On Wed, Jan 14, 2015 at 11:02 PM, Mike Hearn <mike at plan99.net> wrote:
> My big question (sorry Nadim, if this has been addressed before as part of
> the MiniLock discussions) is what stops passphrases being brute forced. It
> seems from the spec that the passphrase == private key and public key is
> then derived from that, in the usual ECC manner.


In miniLock, if you try a passphrase that fails a strength check [1]
it suggests one for you (7 words from a ~16 bit list = ~112 bits
entropy).

It looks like Peerio performs the same strength check, but on failure
asks you to choose again, instead of suggesting one.  It'd be
interesting to know the rationale - did users dislike the generated
phrases?

---

It looks like minilock hashes the password with scrypt, N=2^17 and
r=8.  Peerio's parameters are a bit smaller, but I think standard
(N=2^14, r=8).
Resisting offline passphrase-cracking with a strong passphrase and
good hashing is obviously important here, since cracking can be
attempted by anyone who sees your public key (not just the server).

More and more systems are using scrypt for password hashing.  Does
anyone know the state-of-the-art in scrypt cracking?


Trevor

[1] https://github.com/dropbox/zxcvbn