Always salt your hashes.
Always salt your hashes
Brayden Brooks
Other urls found in this thread:
letsencrypt.org
letsencrypt.org
twitter.com
Nolan Gray
>eating hash browns in 2017
fuck off meat eater
Jeremiah Myers
Is this the new humor thread
Samuel Gomez
>tfw you use CRYPT_BLOWFISH with 7 rounds but at the same time too lazy to implement https for login and registration
Nicholas Walker
moderate kek
Nathan Harris
What's a good frozen hash brown and do i need a deep fryer?
Jeremiah Russell
What do you mean implement. Just tell your framework to use HTTPS everywhere, point it to your certificate, and you're done.
Ian Long
>server
>passwords
>hashes not salted
>2017
It still happens
Anthony Thompson
Let the web server do the job. If your application has its own web server, point an nginx or Apache or lighttpd reverse proxy with HTTPS at it.
That also adds the convenience of being able to read clear-text traffic on your end.
Jordan Richardson
i don't want to use https on whole site because I don't want to buy paid cert
letsencrypt is only good enough for login/registration for me
Jaxson Cooper
Sup Forums's secure tripcode salt was like literally LOLOLOLOLOL or something like that.
Someone found it out and started cracking secure trips so they had to change it.
David Ortiz
>letsencrypt is only good enough for login/registration for me
How so? Why not the whole site?
Grayson Bennett
>tripcode salt
huh
Robert Price
Heh, makes me remember when Apple Cloud got brute forced in 2014.
Jordan Martinez
read again
>secure tripcode salt
Noah Morales
oh, only applies to "secure" tripcodes
yeah thx
test#FE9t'Hk.qi#faggot
Ian Gutierrez
letsencrypt is still not trusted by all browsers/systems (old ones)
Oliver Walker
what old systems do you mean? If I remember correctly (tested this a while ago) even the Android 2.3 browser works
and looks like XP does as well
letsencrypt.org
>Windows XP Certificate Compatibility
>Enabled: March 25, 2016
Nathan Price
Jordan Young
> Blackberry OS v10, v7, & v6
> Android < v2.3.6
> Nintendo 3DS
> Windows XP prior to SP3 - cannot handle SHA-2 signed certificates
> Java 7 < 7u111
> Java 8 < 8u101
should't really be concern IMO
Jace Parker
xhamster recently switched to https and they don't use letsencrypt
they know why
my traffic comes from around the world with some of most obscure configs
Caleb Perry
Expound.
Asher Roberts
but where is the salt stored? I never understood this. Wouldnt it be easy to find the salt in cleartext?
Cooper Sanchez
...
Ryder Garcia
How did we come to using the word "salt" in a technology variation
Who though "this key should be named 'salt'"?
William Long
You can just attach the salt to the hashed password. It's not actually important that the salt be kept secret (although you can try and keep it secret, in which case it's called a pepper instead).
The point of a salt is to make precomputed hash tables useless. Giant rainbow tables of common passwords and their hashes are easy to find floating around. Without a salt, all a hacker has to do is look up the hash. With a salt, he has to compute an entirely new table, which is an expensive process. If every hash had a different salt, he has to make a new table for every password, slowing him down significantly.
David Adams
And when possible use something like bcrypt or scrypt.
Daniel Bailey
So long as you don't support SSLv2.
Brody Torres
thee probably animal product in the greasy exterior?
Jeremiah Lee
I don't have a PhD in Mathematics. How am I supposed to understand this joke? This is discrimination.
Luis Phillips
Computers are racist
Wyatt Walker
>fuck off meat eater
You are weak and will not survive the winter.
Brandon Taylor
Just go to the store and buy some hash browns.
You can probably order some online if your ultra agoraphobic.
You don't need no deep fryer. Shit you can put those bad boys in a toaster, or a microwave. Hell use a blow torch if you're homeless and don't have a kitchen.
Ayden Baker
To be specific, suppose you use a two-character salt with 64 possible characters (like the Linux crypt() function). Then you've got 4096 different salt combinations, and very few attackers care to keep 4096 rainbow tables around.
The key here is that users are assholes so the salt protects *common* passwords. For example, if you have 4000 assholes who use "password" for a password then without a salt they'll hash to:
xQPHYlVDIw6
The attacker can look in your password database and see that 4000 people have this one hash, and once they break it they gain entry to 4000 accounts.
But if you salt each asshole's password with a different combo, then your attacker gets something like:
aajfMKNH1hTm2
abJnggxhB/yWI
acBxUIBkuWIZE
advwtv/9yU5yQ
Your attacker can see the salts in plain text (the first two characters of each hash- aa, ab, ac, and ad). But, they can't easily see that each hash is the same password. Moreover, if they manage to break the first hash, they haven't automatically broken the other three.
Isaiah Taylor
thanks. this pretty well clears up my question. I guess I thought salting was supposed to make finding the password impossible. I've never seen it discussed anywhere.
Cameron Peterson
>Buying overpriced frozen prepackaged food
I bet you buy pre-built desktops as well you normie.
>buy a sack of regular potatoes
>get out your cheese greater or get a cheap one
>shred the spuds to your liking
>get out any old frying pan or skillet
>put some butter or oil on it, whatever is more convenient
>fry hash
>salt hash
>put what ever else you want, pepper, spice, etc.
Literally 3 extra minutes to making the best and cheapest hash every time all the time.