Comment Re: Haha, let them. (Score 2) 258
Woooooosh
Woooooosh
I agree that there is no excuse not to use bcrypt.
You can do basically attempt all 8 character passwords in a few minutes per user on modern hardware (the salt adds 0 computation complexity, but as you say, it forces you to actually have to do the calculation instead of doing a lookup).
Also, the whole point is that key derivation is slow. Of course the "secret from which keys are derived" is available (it is necessarily so; it's stored, along with the cost factor, as part of bcrypt's output, for example). But the fact that you have to through 2^N iterations, where N is usually >= 10, throws a meaningful speedbump in front of high-speed cracking. Now instead of brute forcing any given 7-character alphanumeric case-sensitive passwords in ~half an hour, it'll take you > 20 days on average.
This is completely orthogonal to the fact that salted hashed passwords have never been an appropriate means to store a password. http://codahale.com/how-to-safely-store-a-password/
The key derivation functions can be literally several orders of magnitude harder to brute force. And their difficulty can be chosen with simple parameters, with sane defaults. There is really no comparison between a singly salted hashed password and bcrypt/scrypt.
Check out table 1 in this paper to get a sense: https://www.tarsnap.com/scrypt/scrypt.pdf
Assuming the cracker has access to the salt and a GPU, the only thing keeping users safe now is the entropy inherent in the passwords they chose.
It doesn't have to be like that. Instead of plugging in Good Salted Hashed Password Library, you can plug in Bcrypt Library or Scrypt Library *and protect even the users who chose bad passwords*.
Can you explain this a bit more?
If the hackers didn't get the salt, and only have the salted hashes, and let's say the salt is, say, a 20 character random phrase using numbers, letters and symbols, what is the weak spot?
I'm sure many
The size of the salt is relevant only insofar as you want to be sure that each user has their own unique salt. The salt is stored in plaintext (or, I suppose, it could be encrypted, but then the decryption key must then be stored in an accessible place). The point is that the crackers must be assumed to have recovered the salts.
So now those salts protect you against pre-computed hashes. The cracker has to attempt each password individually. But most people use one of the few thousand most common passwords. And inexpensive modern hardware lets you attempt billions of SHA hashes per second. So... Salted and hashed does very little for you at this point.
Instead of salting and hashing, use a key derivation function (e.g., bcrypt, scrypt).
And yet, with no extra effort on Living Social's part -- simply by choosing a bcrypt library instead of a custom hash/salt scheme -- even a user with a weak password would be protected.
So, sure, I might agree with you, but that doesn't absolve Living Social.
Why is it "fortunate" that the passwords were hashed and salted? Unless they've used key derivation functions (e.g., bcrypt, scrypt) and are actually under-selling their sophistication, this seems Very Bad for their customers.
As someone who has Amazon Prime (I got it for like $39 as a grad student and it's still good until this summer) and uses a Roku, I can tell you that I would definitely not be paying for a "KindleTV" + Prime if they dropped my Roku.
Why? Because their library sucks, the interface is fucking terrible, and the way they don't group show seasons together into one show is just wrong.
Amazon doesn't need to work on a Roku replacement, they need to work on a Prime Video replacement and pronto.
If they could now re-design a furniture store where customers would buy furniture which would be then delivered to their homes already assembled would be a huge step forward. Oh wait...
School districts do this to when levies don't pass. They immediately cut athletic programs and bus service.
My bad, I meant to include the source: http://www.dhs.gov/xlibrary/assets/budget_bib_fy2011.pdf
Behavior Detection Officers (BDOs): An increase of $20M and 350 BDOs (210 FTE) is
requested to further enhance TSAâ(TM)s Screening Passengers by Observation Techniques
program. The FY 2011 request includes a total of 3,350 officers, to enhance coverage at
lanes and shifts at high risk Category X and I airports, and expand coverage to smaller
airports.[...]
Transitioned validated multi-cultural indicators of hostile intent, and demonstrated a
mobile device that enables TSA Behavioral Detection Officers to record observations,
automatically calculate behavior-based scoring, and share information among peers
and with supervisors in near-real time. This potentially saves TSA an estimated 60 -
120 FTEs.
I did my masters thesis on this subject and the TSA is doing the same thing the Israelis are. In fact, they spend a lot more than you would think on doing it. The problem seems to be that because people A) don't recognize this effort, B) because it's just as expensive as the machines, and C) it's just as ineffective because it ignores the fact that terrorists could walk into the building strapped with explosives in front of the screening area and kill hundreds+ of people.
So I was bored and decided to watch a few of the pilots. As someone who loved Netflix's House of Cards, I was excited to see what Amazon had in store for us of similar caliber. Well, suffice to say that spreading their dollars across numerous pilots instead of one single show gets you what you expect: utter trash.
Those Who Can't, a story about three teachers (gym, history, and Spanish) was utterly terrible. They hated a jock in the school who was constantly annoying them and being the stereotypical douchebag. The script was jerky, the acting was bad, and the entire premise was overdone. Not impressive in the least, in fact in many instances it was downright painful.
Alpha House starts out great with Bill Murray getting arrested and John Goodman watching as he freaks out but it goes downhill from there mostly because Murray is not on the show after that first 45 second cameo. The vulgarity (something I don't mind in the least and use regularly myself) is there for vulgarity's sake, not because it makes sense in the dialogue. The show itself is slow, boring, and pointless. It's like Amazon was trying to make fun of House of Cards on SNL but failing as SNL tends to do so well.
While I haven't watched all the pilots yet, I really don't think I have much desire to do so. I am still waiting for more House of Cards and certainly more Arrested Development on Netflix but this Amazon shit is just bad. They need to get their shit together and up their game if they think they're going to compete with Netflix's first-run flagship.
I'd rather just believe that it's done by little elves running around.