Of course they can. The entire purpose of salting is to make it so that the same password, hashed two different times, produces completely different hashes. This has two important consequences. First, it makes it basically impossible to precompute password hashes. That's a big deal compared to the "without salt" case, where rainbow tables make checking against precomputed hashes very easy. Second, if two users on a system have the same password, you can't tell without computation. Said another way, it means you need to crack passwords individually rather than in bulk. This isn't game-breaking, but it's significant when you have million-user breaches.

All of the typical ways of storing password hashes store the salt alongside it. It's expected that an attacker that obtains the hash will obtain the salt. It's within the design.

If you want the password hash separate from a piece of key password-validation data, at that point the extra piece of data is a secret and what you're basically making is a message authentication code. But, it's very difficult to argue that this is ever really more secure.

100k rounds of SHA256 is decent. The longer SHA2 variants are better, sure. More rounds is always better, of course. 100k is better than what most people use. But, if the decryption is always happening client-side (which it should), then ideally you can afford and should use many more rounds of SHA1. Maybe if they're using JavaScript, that limits how high they can jack the number of rounds up and still get reasonable performance on low-end devices.

I don't know that bcrypt is necessarily much better than what they're doing. It may be, but at a "details" level, not a "major benefit" level. Both bcrypt and PBKDF2 support many rounds and prevent precomputation, which are major features.

What would be better, if the devices they want to support can run it, is something like scrypt, which is resistant to hardware acceleration and thus much harder to crack in practice.

Few people can memorize a large collection of high-entropy passwords.

Yes, I know there are strategies for getting away with memorizing fewer. They're not necessarily good ideas.

The radiation detectors at border crossings will trigger on cat litter.

They import quite a lot of Belgian beers here. The style category is popular, so of course there are plenty of terrible attempts, but there are a lot of American brewers making Belgian-style beers that do an excellent job.

You're free to go tell Ommegang, Allegash, Russian River, or Jester King they're doing things wrong.

Well yeah. It's the same way with American beer -- we've got lots of good beer, but most of what people buy is the crap, so it's the most visible. Similarly, brands like Beck's dominate sales in Germany, despite the fact that Germany has many perfectly good beers. (The subtleties of the different cultures and economies of beer are different, but the large-scale picture is similar in this way.)

Sours are usually hard to find on tap. The popularity of Gose is helping with that -- it's acceptable for that to be kettle-soured, which makes it affordable to produce and sell on tap.

I only ever bought Bitburger in Berlin. That and Beck's were the dominant beers. A few times in the US, folks with a German-beer fetish have brought Bitburger or Warsteiner to a party. Not good.

Jever was better on tap, but I have not worked up the curiosity to buy it bottled in the US.

Sorry, couldn't understand what you wrote. Could you translate to American?

No, it's not free at all. It's an investment. That is, it ties up your money and subjects you to risk. Not free.

Apparently it's a profitable investment, which, if you're a government that can afford to take that risk, is a better deal than free.

"Free" is a decent approximation for casual conversation, then. But it's not free. Call it what it is. A profitable investment!

That's a tough sell. Most of the popular German beers are only around 5%. That's more than Bud Light but not outside the range that any college student would be used to. But many of those are served at ~350 mL (12 oz). Weizenbier is often served by the half liter, but that's just a pint. The only German beer that's regularly served in a Mass (liter) is Munich beers. Those are often ~4%. So you're really down to just Munich festbier, which can be north of 5% and served in two-pint glasses.

The real devil is the undertrained American bartender who will pour you a pint of a Scotch ale, Russian Imperial Stout, Belgian quad, barleywine, or big double IPA. Oof.

To be fair, if you go to any sizable store or gathering in Germany, it's quite clear that the vast majority of what anyone sells, buys, or drinks is crap like Beck's.

Weizenbier is probably the most widely-available good beer in Germany. (Though, IMO, a Jever will do in a pinch.) More regionally, helles, festbier, and dunkel from respected breweries are good. Same with rauchbier or schwartzbier, but those are an odder flavor and less common. Koelsch is excellent.

There are some good Pils also, but it's not a flavor everyone likes, and it's so popular in the mass market that you've got to be careful about what you're buying.

That's so 2000s.

Now it's Belgians. No, wait, sorry, that was two years ago. Saisons? "Farmhouse"? No, that was last year. Sours. I think it's sours now. Especially gose or barrel-aged. Though there's always been a level of support for anything barrel-aged, especially if the alcohol level makes you double check to make sure it's not wine you're buying.

The hoppiness is probably a byproduct of the fact that we have good hop breeding labs and a lot of brewers tired of beer with no bitterness. (Incidentally, Germany has good hop breeding labs, too, but they have a hard time selling their more aggressively-flavored products locally. Sad for a country that's fighting losing one of the world's finest hops to disease and that processes a ton of delicately-flavored hops into canned hop extract.)

Also, it's dextrose-heavy double IPAs that taste like an ethanol-water hop tea. (Or, if you prefer, triple-strength Bud Light with hops.) Even quite hoppy single IPAs still have a noticeable malt presence and yeast esters.

It would be a tough call to choose between the so-called "flavor" of Beck's or Bitburger and the lack thereof of Bud Light.

Mercifully, in Germany and the US, you can get good beer. It accounts for a small fraction of nationwide sales (and a tiny fraction of exports) in either case, but it's there.

Germany is heavy on tradition, so most of the breweries that are good have been doing this a long time. The mass-market is newer and sucks. In the US, the closest thing to a worthwhile traditional beer is something like PBR or Narragansett. (The mass-market crap we got from a combination of German immigrants and industrialization.) So all of our good breweries are young and experimental. Either works, but sadly, neither makes a sizable dent in mass-market beer.

Your company has to provide the option for a 401k. If they don't, and they also don't offer any other retirements savings plan, there are self-directed ones that require more research. If they do offer a 401k, you need to at least withhold enough to fully get the company match, or you're throwing away money.

The next step is to max out Roth IRA contributions (general $5500/yr, last I knew). These are both tax-deferred and tax-free upon withdrawal, and there's an income limit on contributions--so investing in them young is very valuable. Roth IRAs you do yourself. Lots of reputable companies will set these up for you. Generally, a retirement account that has a periodic deposit attached to it should have no fees. They'll also provide help getting it set up. If you can't get those two things, find someone else who will. Fidelity and Vanguard are good options.

After that, there are many options. If your 401k is good, you could just increase the withholding on that.

Use big, popular index mutual funds with low fees. If you're young, lean toward stocks. Say, 10-20% bond index fund and 80-90% equity indexes. Equity indexes should be mostly domestic but some international and should include both large-cap and small-cap. A typical boring 401k portfolio for a young person might be 10% bond index, 55% S&P 500 index, 20% international index, and 15% small-cap index.

When you change jobs, roll your 401k over into an IRA so that you're using your preferred vendor and have better control of it. You'll find that the company getting your money is happy to help you set that up.

Once you have substantial retirement savings, particularly under a single company's umbrella, investment advice becomes much cheaper and easier to come by.

Sort of. One of the major design elements of a real hybrid is that it uses a smaller, more efficient gas engine. That's what the electric motor is really there for -- the gas engine can't provide enough power on its own for proper acceleration under many circumstances, but the two motors combined can. So the electric motor is the thing that enables you to have a small, efficient gas engine, and the regenerative braking is just a good power source for the electric motor. On the highway, the hybrid has to carry around the weight of the electric system, but it carries less engine weight and still benefits from using a small engine.

In practice, for me at least, I get 45 mpg highway out of a Prius, which is pretty decent.