|
Hold on:
To create : Take a random salt + password and hash. OK I understand.
To validate : Take the random salt + password and hash and check against the stored.
This does not compute... There are 2 random salts here... so 2 different hashes? Unless the salts are stored... and if your system has been pwned, your salt is pwned too.... And so back to square one...
|
|
|
|
|
"And so back to square one..." - Neggative, Salt is not a secret value, it merely serves two purposes:
Purpose a) By forcing the use of a salt, we need to generate a hash table for every available salt to get passwords that are using that salt, driving up the cost of hash table creation (as rather than one table for all passwords, need one table per salt)
Purpose b) By using Salt we ensure that two passwords of the same value have different hash value due to the different salts....this stops things like finding all users with hash 1e0b2ffs7 blah mc blah and tying that hash to a specific password.
i hope I make sense, but if you want a .NET API to do it properly than look no further than here: http://sourceforge.net/projects/pwdtknet/[^]
|
|
|
|
|
Hi,
This I understand. What I mean is this: If each salt is unique, your passwords will never match as between generation and comparison, they will have to be different!
In very simplified pseudocode:
Making the salted password
$salt = generateRandomSalt();
$pwd = md5('password');
writeToDb($salt + $pwd);
Checking the salted password:
$salt = generateRandomSalt();
$pwd = md5('password');
if(($salt + $pwd) == getStoredPasswordFromDB()) then
win();
else
fail();
endif
As the generated salt will always be random, the salt will always be different for each call, so... if both passwords are different, how do you validate it? In this example with a random salt, the checking condition will always fail, and if you store the salt (or even store the method of generating a unique salt per user), then you are pwned just as bad, it will just take some extra time to reverse engineer the login system, and from there, back to some form of rainbow tables once the salt part is understood and removed.
Can someone light my candle here? My area of expertise is PHP along with Classic VB & VBA, so a .NET library is not much use, but really, it's the idea of just how this really works, as I am already sold on the need of such a system!
Cheers!
|
|
|
|
|
G'Day,
Yes you are correct you cannot just generate a new random salt at each authentication. You ONLY generate the random salt when the password is created, and the sal is indeed stored somewhere, generally in the DB with the Hash. Now what you are saying is if the DB is compromised and the attacker gains your hash and your salt you suggest that they are pwned and can then use the salt to generate a hash table. Now you are correct that the salt can be used to generate a hash table however that is why simply salt + hashing is not good enough. You also need to implement key stretching. The point of key stretching as per PBKDF2, Bcrypt etc, is such that generating said hash table takes an INFEASIBLE amount of time. It does this by performing a hash function such as HMACSHA1 over x (supplied) number of times and XORing the result of each pass with the previous one. If each hash generation takes half a second, it would take 1 second to generate two hashes! Making hash table generation not a viable option.
So basically it is fine for the attacker to gain your salt, hell give it to them if they ask for it even....you should always assume your salt is known anyway!!!
So folks always remember salt + password -> Key Stretching Function -> hash output to store.
I think the provided article does a better attempt at explaining than me but I hope I make sense anyhow
Cheers,
Ian
|
|
|
|
|
The personal nature of coding style is a challenge in a team atmosphere. Oftentimes, seeking to avoid lengthy arguments, teams defer creating style guides under the guise of not wanting to “discourage innovation and expression.” Some see team-defined style guides as a way of forcing all developers to be the same. Some developers rebel when presented with style guides, believing that they can’t properly do their job if someone is telling them how to write their code. // Code as I say, not as I do
|
|
|
|
|
Whenever an argument descends into codeing style you can be sure a dozen more important problems are being missed .
|
|
|
|
|
SSH keys are useful to login over ssh (secure shell) without typing a password. They are also used by Github and other version control systems for passwordless authentication. Here is some basic information from the software developer point of view how to use SSH keys for maximum comfort and security. Sudo no more passwords?
|
|
|
|
|
Rob Pike is a software pioneer. His influence is everywhere: Unix, Plan 9 OS, The Unix Programming Environment book, UTF-8, and most recently the Go programming language. He recently gave the closing presentation at Heroku's Waza conference. Check it out. If you look at programming languages today, you might think the world is object oriented. It's not.
|
|
|
|
|
A couple of months ago (before it was even announced), we made the decision to convert all of our Javascript to Typescript. We finally got around to doing it a few weeks ago and this week I was trying to assess what measurable benefits we got for it. The first way I've looked at it is how many bugs did we find in the code that were uncovered just by getting Typescript compiler errors after the conversion. If the premise that large Javascript programs are difficult to get right and hard to validate and Typescript is a good tool for helping write more "correct" Javascript holds, you'd expect to find some bugs in a large code base you migrated. And sure enough, we did... From 80,000 lines of Javascript to a TypeScript-based front end... and fewer bugs.
|
|
|
|
|
TypeScript ===
/ravi
|
|
|
|
|
F# 3.0 is about to be released, bundled in with the new all-grey, ALL-CAPS Visual Studio 2012. The biggest new feature is type providers, bringing some of the benefits of dynamic languages into type safe world. Innovations like type providers deserve more industry attention. I really hope these ideas will spread and hopefully languages like Scala will pick them up pretty soon so more developers (including me) can enjoy the benefits. OK, that's cool, but how is good old F# doing? Well, about the same. It lumbers on in obscurity under the massive shadow of Microsoft and whatever crazy idea the company is currently peddling. How do we save this gem of a language?
|
|
|
|
|
Terrence Dorsey wrote: How do we save this gem of a language?
That's a complicated question. I tried 3 different responses, then realized, that's a complicated question! I'm hoping to write an article on type providers for Oracle (if someone doesn't beat me to it), after I update a certain *cough* article that I promised you guys something like 6 months ago.
Then, people need to see the benefit of F#, and that's not really easy to accomplish. It's a different way of thinking, the OO support is great but that isn't what FP is about, and who needs type providers for DB's anyways given the number of ORMs one can choose from.
It's a good question, and one I struggle with.
[edit]Oh, and at the moment, I disagree with the statement ...F# is superior to C# in every single way, for any application. That's just "jump on the latest tech bandwaggon" blabbering, IMHO.
Marc
|
|
|
|
|
Marc Clifton wrote: F# is superior to C# in every single way, for any application. That's just "jump on the latest tech bandwaggon" blabbering, IMHO.
one position himself ahead of the curve simply by not jumping on every latest bandwagon - focusing on capability instead.
dev
|
|
|
|
|
Marc Clifton wrote: I'm hoping to write an article on type providers for Oracle
Yes please!
|
|
|
|
|
Marc Clifton wrote: It's a different way of thinking, the OO support is great but that isn't what FP is about
I agree, and I see that as a problem. F# is fundamentally a functional language, yet it is bound to a Smalltalk-style object oriented framework with class hierarchies, null references and all that jazz. The result is a little bit like C++ - too many features crammed together and not necessarily well composed.
|
|
|
|
|
Terrence Dorsey wrote: the new all-grey, ALL-CAPS Visual Studio 2012 I guess all you young'ns would have died back in the day of ASR-33 teletypes that did only black (gray when the ribbon was thin) all caps text.
You sound like my kids when I show a movie in B&W ("Eww, black and white? Yuck!") Or at least until I played THEM! and they heard the sounds of the giant ants, nary a peep out them after that and their eyes were glued to the screen.
Relax, you'll get used to it.
Psychosis at 10
Film at 11
Those who do not remember the past, are doomed to repeat it.
Those who do not remember the past, cannot build upon it.
|
|
|
|
|
meh
If your actions inspire others to dream more, learn more, do more and become more, you are a leader.-John Q. Adams You must accept one of two basic premises: Either we are alone in the universe, or we are not alone in the universe. And either way, the implications are staggering.-Wernher von Braun Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.-Albert Einstein
|
|
|
|
|
What does it actually mean to be ‘senior’ in this discipline? I certainly have an opinion of what it means, given that I’m charged with hiring, supporting, and retaining engineers whome are deemed to be senior. This notion that there is a bar to be passed in terms of career development is a good one, but I’d also add that these criteria exist on a spectrum, as opposed to a simple list of check-boxes. You don’t wake up one day and you are “senior” just because your title reflects that upon a promotion. Senior engineers don’t know everything. They’re not perfect in their technical knowledge, and they’re OK with that. We don't call it "old," we call it "experienced."
|
|
|
|
|
i'm senior developer in my firm - strange i am not getting discount bus fare just yet.
dev
|
|
|
|
|
|
What a good find! I enjoyed this article very much!
|
|
|
|
|
As software professionals, when was the last time we went to our bosses and said “No problem. I’ll build that brand new production system for you in 8-16hrs”? Probably never. Certainly not as often as we’ve freaked-out when the boss came to us with some impossible deadline. “You can’t expect me to build something effective, reliable, great in N-months!” we scream. “Be reasonable!” So why do we sell the myth of the 2-day app to non-profits and other mission driven organizations? Maybe we like the buzz of seeing ourselves as heroes able to jump tall-buildings with our nerd super-powers. Maybe we just like the pizza.
|
|
|
|
|
I think in some ways Microsoft really is Apple circa 1999. There are some differences of course. IT for business simply isn’t going to shift away from Microsoft. There really isn’t a competitor in that space. However more and more users (such as salespeople) may find they don’t need traditional desktop operating systems. I think Win8 is primarily an attempt to show to IT departments that they can have it all. That is the “have it all” is oriented towards Microsoft’s primary customer. And it ain’t end users. Is Windows RT really about enterprise sales after all?
|
|
|
|
|
Stuxnet proved that any actor with sufficient know-how in terms of cyber-warfare can physically inflict serious damage upon any infrastructure in the world, even without an internet connection. In the words of former CIA Director Michael Hayden: “The rest of the world is looking at this and saying, ‘Clearly someone has legitimated this kind of activity as acceptable international conduct’.” Governments are now alert to the enormous uncertainty created by cyber-instruments and especially worried about cyber-sabotage against critical infrastructure. Wouldn't you prefer a nice game of chess?
|
|
|
|
|
In this article, I will present all of the post-mortems and figures I’ve found interesting, and I will also explain how SQUIDS fits into the overall picture. But first, I would like to quickly give my opinion on few of the App Store myths you may believe if you’re not an experienced iOS developer. There are plenty of ways to view the App Store, but my point is that you might be a bit surprised by what the App Store really means in terms of money. Anyone can play. The rules are different than you think, though.
|
|
|
|