undefined | Better HN

0 pointsibdknox15y ago0 comments

An oversight on my part :) Luckily, that is an exceptionally easy thing to fix.

Edit: and now it is :D

0 comments

7 comments · 1 top-level

zaph0d15y ago· 6 in thread

Still some nits -

* SHA-x is not an "encryption" algorithm, it's merely a cryptographically secure, one-way hash. The function name and the documentation are thus misleading.

* You shouldn't use SHA-x or MD5, etc. for password hashing anyway, because they are just way too fast! You should use BCrypt for password hashing.

I can submit patches if you wish :)

hencq15y ago

Just out of interest, what do you mean by 'way too fast'? I would think that having a fast hash would be a good thing. Or is it because an attacker can generate hashes for some dictionary very fast? Isn't this why you'd use a salt as well?

Sorry if these seem like dumb questions, just trying to learn.

zaph0d15y ago

Hashing algorithms like SHA-256 have a very interesting property, they are designed to be extremely fast (even with large amounts of data). That lets you generate millions of hashes per second on any modern CPU (much faster with GPUs). Salting doesn't help much because if your DB is compromised, you are still open to brute force or dictionary attacks.

BCrypt is a very good algorithm for hashing passwords because it's very slow (compared to SHA-x) and thus are extremely time consuming for an attacker. BCrypt also allows to incorporate a "work-factor" which makes the hashing even slower; that allows us to choose a higher work factor when more powerful computers become commonplace.

There are a lot of articles online that discuss this subject.

timclark15y ago

The faster you hash, the faster I can run a brute force attack on your password form.

1 more reply

JonnieCache15y ago

See http://codahale.com/how-to-safely-store-a-password/

ibdknoxOP15y ago

Absolutely! I don't claim to be an encryption expert, by any means. :)

zaph0d15y ago

I am no crypto expert either, but here is your patch - https://github.com/ghoseb/noir/commit/f814ea9d1bc7470197eb73... (pull request already sent).

Noir looks very good. Keep up the good work and let me know if you need any help ;)

j / k navigate · click thread line to collapse

0 comments

7 comments · 1 top-level

zaph0d15y ago· 6 in thread

Still some nits -

* SHA-x is not an "encryption" algorithm, it's merely a cryptographically secure, one-way hash. The function name and the documentation are thus misleading.

* You shouldn't use SHA-x or MD5, etc. for password hashing anyway, because they are just way too fast! You should use BCrypt for password hashing.

I can submit patches if you wish :)

hencq15y ago

Sorry if these seem like dumb questions, just trying to learn.

zaph0d15y ago

There are a lot of articles online that discuss this subject.

timclark15y ago

The faster you hash, the faster I can run a brute force attack on your password form.

1 more reply

JonnieCache15y ago

See http://codahale.com/how-to-safely-store-a-password/

ibdknoxOP15y ago

Absolutely! I don't claim to be an encryption expert, by any means. :)

zaph0d15y ago

I am no crypto expert either, but here is your patch - https://github.com/ghoseb/noir/commit/f814ea9d1bc7470197eb73... (pull request already sent).

Noir looks very good. Keep up the good work and let me know if you need any help ;)

j / k navigate · click thread line to collapse