undefined | Better HN

0 pointsehutch798mo ago0 comments

Users don’t use unique passwords. Don’t expect them to.

0 comments

For a backend you can enforce unbruteforceable API keys that are long and random.

What does that look like, and how does that prevent a compromise exposing users whose non-unique passwords are stored in a known broken hash?

sneak8mo ago

if you enforce long random server-assigned api keys they are guaranteed to be unique.

you don’t need bcrypt or pbkdf with api keys, as they are not passwords. they are high entropy and unique and long - unlike passwords.

j / k navigate · click thread line to collapse

sneak8mo ago

For a backend you can enforce unbruteforceable API keys that are long and random.

ehutch79OP8mo ago

What does that look like, and how does that prevent a compromise exposing users whose non-unique passwords are stored in a known broken hash?

sneak8mo ago

if you enforce long random server-assigned api keys they are guaranteed to be unique.

you don’t need bcrypt or pbkdf with api keys, as they are not passwords. they are high entropy and unique and long - unlike passwords.

j / k navigate · click thread line to collapse