You can not lose your private key, if you drop it first

You can not lose your private key, if you drop it first(blog.imcotton.xyz)

2 points by imcotton 1 year ago | 4 comments

What rubbish is this?

Does the author not understand entropy or probability?

Deriving an RSA key from the product of two memorizable numbers makes it brute-force-able, and sends us back to 1990s export controlled encryption strength.

Tattoo-ing a key on one’s arm (however ridiculous) would be better than the methods here.

imcotton 1 year ago | |

Now, brute-force my private key and post new blog entry with your wallet address, I will send you rewards.

Too 1 year ago | |

Yeah. This removes one factor in 2FA by deriving something you have by something you know.

Almost equivalent to going back to username+password and use your favorite git hash as your password.

If you are truly paranoid about loosing your ssh key, get a hardware yubikey instead.

imcotton 1 year ago |

In case one not digging into the source code, the key stretching here is PBKDF2-HMAC-SHA512 with 400,000 iterations (OWASP recommended 210,000).

The reason for not using Argon2 or scrypt is because PBKDF2 is native provide by Webcrypto yet FIPS-140 compliance.