Companies which store user data encrypted with a password should publish the parameters of the KDF they use. If the encrypted data is stolen, it gives the difficulty faced by the hackers to brute force a password. (If hackers steal passwords by some other means, all bets are off.)
The passwords in question could be user passwords, or passwords used internally by the company.
Publishing the parameters of the KDF allows competition between companies on who protects user data more. We need some method to certify that a company is actually doing what it claims, perhaps regulations specifying punishment for lying.
We might need regulations also requiring companies to actually publish the parameters, because market competition has not achieved the desired transparency on its own so far.
No comments :
Post a Comment