Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
I like cinnamon, myself, but it all depends on what I am eating at the time.
/jk
OT: Sounds like a choice between the Douche && the Turd Sandwich... Pick your poison.
/* Well... probably better to salt && teach. Maybe if the user enters some ridiculously weak password, a message saying just that would be in order... At least you tried. */ -
I'm pretty sure when the average Joe hears there's been a data breach he assumes his actual password has been leaked, and he just shrugs and assumes it's someone else's problem.
He wouldn't understand hashing if you tried to explain it to him, and he doesn't care. He thinks the idea of choosing a strong password is a bit of a joke, like you're pretending you're James Bond or something.
He reuses passwords because using password managers is confusing, and he left the little book he used to write them all down in on a train a couple of years ago. When his accounts occasionally get hacked, he just puts it down to computers being unreliable, there's nothing he could have done about it. -
@badger Of course there is an xkcd :)
-
@badger
They don't care about it because they aren't hit by it. And they shouldn't care about hashing, they should care about unique passwords. If they did, we didn't have to hash. (Or only to avoid timing attacks.)
But make those breaches painful and their understanding will develop. -
@afaIk What about it is senseless. Try to use full sentences.
Do you salt passwords? Yes...
Ladys and Gentlemen my father
Set up an account at Wells Fargo today and they told me the password requirements... This is a joke right?
pwd salting
I leave another one of my opinions here and go to bed to wake up to an onslaught of hate...
But, salting passwords is problematic.
I'll do it, I am a hypocrite. I don't want to explain to my customers why I haven't done it.
But the issue with a salted passwords is that we defend our users' data against a possible leak. Plus a tiny bonus against timing attacks. It is not defended against us. We can just log the password in clear text or refuse to hash it or hook inbetween reverse proxy and application.
1. When they are salted, we make rainbow table attacks harder. More compute intensive.
2. When they are salted, we cannot quickly identify people with the same password. Therefore not quickly isolating people with a simple password.
And that's bad.
Let me first start to explain one thing. Imagine you have a generated password. Random characters. Like 50 of them. And you used that password on one website. Not on any more. With a password manager. And now you hear that this website leaked their database. Do you worry? Well, no... If that website itself was not embarrassing. You just log in, set a new one, done. You don't care about it.
We only care about salting because upstream users have not used good passwords. Salting is only there to mitigate password reuse. And because it is good at doing that, people keep reusing passwords.
If we didn't mitigate it, the dangers of reusing passwords would be so widely known. Everyone and their grandmothers knew how to keep good passwords. But sadly, we mitigate and most of us are trust worthy.
Users don't meet us. They don't know who we are, they shouldn't give us their everywhere password. But they do. Because we are too trustworthy, we take good care of it and we mitigate the bad outcomes. If a user leaked their password to us, it is too late. They gave it to a party they shouldn't have trusted. Sadly, we turn out to be trustworthy too often.
And if I wanted to steal a huge amount of passwords, I just create a quick website that turns images into gifs or something stupid. Converts webp into png. For free. Just sign up. We conditioned them to trust website services.
Yea, so, basically, my daily PSA, we have done our users a disservice by mitigating damage at a point after the mistake has already happened.
rant
hashing
salting