2 demistifying password security #76
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
how can you mention "unicorn" and "dry" in the same sentence? ;) |
|
@tlossen: Somehow it just seemed the right word to follow something like rainbow tables - but I'll admit, it was late :) |
|
+1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Demistifying password security
Not every developer has to deal with cryptography in their every day job. Some
are outright scared by it. With crypto, you soon become the nerd among nerds.
Still, one aspect that most of us will encounter in their work eventually is
password security. And while being one of the most important aspects of application
security it is surprising how unclear the picture gets when you are looking for
concrete answers. I mean, how hard can it be, right? Unfortunately, pretty hard.
There are few areas in applied cryptography where you will find as much FUD as when
it comes to password security. Many contradicting opinions, a lot of cargo cult,
idolism, but no fricking answers!
So sure, we could finish this talk in a minute, I tell you "use bcrypt" and we're done.
But I'd like to share some of the insight I gained while investigating this over the last
year. We could talk about the foundations of password security, about all the
little things that can go awry when a password makes its journey from client to
server and from server to database.
We could discuss hash functions, collision resistance, salts, rainbow tables, unicorns,
no subject will be too dry for me not to touch it.