264acb4941e66811d4e69851a51e5f0b8605826c — eau 4 years ago 3b2d373
updated README.
1 files changed, 16 insertions(+), 2 deletions(-)

M README.md => README.md +16 -2
@@ 63,7 63,16 @@ with your key derivation in order to attack it offline.

**!!! IMPORTANT !!! This is NOT what makes your hash safe, it just makes it slightly harder to attack offline.**

### Secret Key'ed Hash 
### Key'ed Hash 

Key'd hashes makes it impossible to bruteforce (unless collision in hashes of course or the secret leaks), 
key'd hashes try to guarantee that leaked password cannot be attacked offline.

We used the method described [here](https://bristolcrypto.blogspot.com/2015/01/password-hashing-according-to-facebook.html).

This requires you to **`<profile>.SetSecret()`** before call the **`Hash()`** or **`Compare()`** function.

@@ 145,7 154,7 @@ hopefully this helps understanding how to use this package.
	* minor code rearrangement.
	* can be used concurrently lock-free.
	* bugfixes and code cleaning.
	* write key'd hash tests & concurrency tests. (TODO)
	* write key'd hash tests & concurrency tests. (ON GOING)

* v0.1.3: 
	* fix a salted+masked+custom profile comparison issue.

@@ 175,6 184,11 @@ using a modern profile to store new passwords.

# Resources

[password hashing intro](https://www.win.tue.nl/applied_crypto/2016/20161215_pwd.pdf)
[key'd hashes](https://bristolcrypto.blogspot.com/2015/01/password-hashing-according-to-facebook.html)

# Project resources

[Send patches](https://git-send-email.io) and questions to