ptkdf: Plaintext key derivation function

Better Security Through Obscurity

I think it’s best to store passwords in plain text, but use a really strange algorithm to convert them, so they look like real passwords. Like Password1 is changed to SexyTime! Then hackers will be like, “YES! I GOT IT!” but none of the passwords will work.

What

The real salt and derived key are encoded into zero-width characters: The zero-width space, the zero-width non-joiner, the zero-width joiner, and the word joiner. A realistic-sounding password (derived from the salt) separates the salt and derived key in storage.

Usage

const ptkdf = require('ptkdf')
const hashed = await ptkdf.create({ password: 'God', keylen: 32 })
// hashed = '⁠‍⁠‌‌‍‍‍⁠‍⁠‍‌‍⁠‌‍‌‌⁠‍⁠⁠‌⁠‌‌‌‍‍‍‌⁠‌⁠‌⁠‌‍⁠‌‌‍‍thx1138‍⁠‌‌‍‍‌‍‌⁠⁠‌‍⁠‌‍‌⁠‍‍⁠‍‍‌⁠‌‌‌⁠‌‍‍‍‍⁠‍‍‌⁠‌‍‍‌‌‍⁠‍‌‌⁠⁠‌‌‍‍‌‍‌⁠‌‍⁠‌‌‍‍⁠‍‍⁠⁠‍⁠‍⁠‍‌‌⁠‌‌‍‍⁠‍⁠⁠‌‍‍‌⁠⁠‍‌‍‍⁠‍'
let authenticated = await ptkdf.verify({ plaintext: 'God', hashed })
// authenticated = true
authenticated = await ptkdf.verify({ plaintext: 'thx1138', hashed })
// authenticated = false

Examples

password	derived key
love	⁠‌‌‌‍‌‍‍‌‌‍⁠‍⁠⁠‍‍‍‍‌‌‌⁠‍⁠‌⁠⁠‍‌⁠⁠‍⁠‍‍⁠‍‍‌‍‌‌‌‍⁠‍‌‍birdie‍‌⁠⁠‌‌⁠‌⁠‌‌‌⁠‌‌‍⁠⁠‍‍‍⁠‌⁠⁠‍‌‍⁠‍‌⁠⁠⁠⁠‌‌⁠⁠‍⁠‍‍⁠‌‌‌‍⁠⁠‌‌‌⁠‍‍‌‌‍‍‍⁠‍‍‍‌‌‍‍⁠‍‍‍‍⁠‍‍‍‍⁠⁠‌‍‌⁠‍⁠‍‌⁠‍‌‍⁠‌⁠⁠⁠‍‌
sex	⁠‍‌‍‌‍‍‍⁠‍⁠‌‍⁠‍‌‍⁠⁠‌‍‍‍‌‍‍‍‌‌‍‍⁠‌‌‌⁠⁠‍‍‌‍⁠‌⁠‍⁠⁠‌‌‌⁠⁠xxxxxx‍‌⁠‌‍⁠‍‌‌‌‍⁠‌⁠⁠‌‌‍⁠⁠⁠⁠‍‍‍⁠‍⁠‍‌‍⁠‌⁠‌⁠‌⁠⁠⁠‌‍‍‌⁠⁠‌‌‌⁠⁠‌⁠‌‍‍‍‍‌⁠‌⁠‍⁠⁠‌⁠‍⁠‌‌‌‍‌⁠⁠‌⁠⁠⁠‍⁠⁠⁠⁠‍‌⁠⁠‍‌‍⁠⁠‌‍‌‍‌‌‌
secret	‌‌‌⁠‌⁠‌‍⁠‍⁠‌⁠⁠‍‍‍⁠‌⁠⁠⁠‌⁠⁠⁠‌‍‌⁠⁠⁠‍‍‍‌‌‍‌‍‍‍⁠⁠⁠boobs‍‍‌‍‍‍‌⁠‌⁠⁠⁠⁠‌‌‍‍⁠⁠‍⁠‍‌⁠‍‌⁠⁠⁠‌⁠‌⁠‍‌‌‌⁠‍⁠⁠‍⁠‍‍‌‍⁠‍‌‍⁠⁠‌‍‌‌‌‌‌⁠⁠⁠⁠⁠⁠‌‍‍‌‍‌‍‌‌‌⁠‍‍‍⁠‍‍⁠⁠‍‍‍⁠‍‌‌‌‍⁠‍‍
God	⁠‍⁠‌‌‍‍‍⁠‍⁠‍‌‍⁠‌‍‌‌⁠‍⁠⁠‌⁠‌‌‌‍‍‍‌⁠‌⁠‌⁠‌‍⁠‌‌‍‍thx1138‍⁠‌‌‍‍‌‍‌⁠⁠‌‍⁠‌‍‌⁠‍‍⁠‍‍‌⁠‌‌‌⁠‌‍‍‍‍⁠‍‍‌⁠‌‍‍‌‌‍⁠‍‌‌⁠⁠‌‌‍‍‌‍‌⁠‌‍⁠‌‌‍‍⁠‍‍⁠⁠‍⁠‍⁠‍‌‌⁠‌‌‍‍⁠‍⁠⁠‌‍‍‌⁠⁠‍‌‍‍⁠‍

About

Better Security Through Obscurity

MIT License

Languages

Language:JavaScript 100.0%