Yes, that's what I was saying. Salting uses a non-secret nonce. You could set up some system with a secret nonce, but then it would be a different construction than "salt" (and hard to argue that it's better).

Having access to the salt does make it much easier to crack the password. In fact, it's basically necessary to crack the password. It is still considered non-secret, though.

Only if encrypted used data really wasn't exfiltrated.

That situation is partially the result of more widespread use of salt. It doesn't magically make bad password hard to crack (as you point out). But it used to be the case that, with rainbow tables, you could crack even moderately difficult passwords very quickly. It also adds a pretty substantial slowdown for large password breaches -- even though all the easy passwords will be cracked anyway, a factor of hundreds of thousands slowdown starts changing the "easily crackable" threshold.

Of course they can. The entire purpose of salting is to make it so that the same password, hashed two different times, produces completely different hashes. This has two important consequences. First, it makes it basically impossible to precompute password hashes. That's a big deal compared to the "without salt" case, where rainbow tables make checking against precomputed hashes very easy. Second, if two users on a system have the same password, you can't tell without computation. Said another way, it means you need to crack passwords individually rather than in bulk. This isn't game-breaking, but it's significant when you have million-user breaches.

All of the typical ways of storing password hashes store the salt alongside it. It's expected that an attacker that obtains the hash will obtain the salt. It's within the design.

If you want the password hash separate from a piece of key password-validation data, at that point the extra piece of data is a secret and what you're basically making is a message authentication code. But, it's very difficult to argue that this is ever really more secure.

100k rounds of SHA256 is decent. The longer SHA2 variants are better, sure. More rounds is always better, of course. 100k is better than what most people use. But, if the decryption is always happening client-side (which it should), then ideally you can afford and should use many more rounds of SHA1. Maybe if they're using JavaScript, that limits how high they can jack the number of rounds up and still get reasonable performance on low-end devices.

I don't know that bcrypt is necessarily much better than what they're doing. It may be, but at a "details" level, not a "major benefit" level. Both bcrypt and PBKDF2 support many rounds and prevent precomputation, which are major features.

What would be better, if the devices they want to support can run it, is something like scrypt, which is resistant to hardware acceleration and thus much harder to crack in practice.

Few people can memorize a large collection of high-entropy passwords.

Yes, I know there are strategies for getting away with memorizing fewer. They're not necessarily good ideas.

The radiation detectors at border crossings will trigger on cat litter.

They import quite a lot of Belgian beers here. The style category is popular, so of course there are plenty of terrible attempts, but there are a lot of American brewers making Belgian-style beers that do an excellent job.

You're free to go tell Ommegang, Allegash, Russian River, or Jester King they're doing things wrong.

Well yeah. It's the same way with American beer -- we've got lots of good beer, but most of what people buy is the crap, so it's the most visible. Similarly, brands like Beck's dominate sales in Germany, despite the fact that Germany has many perfectly good beers. (The subtleties of the different cultures and economies of beer are different, but the large-scale picture is similar in this way.)

Sours are usually hard to find on tap. The popularity of Gose is helping with that -- it's acceptable for that to be kettle-soured, which makes it affordable to produce and sell on tap.

I only ever bought Bitburger in Berlin. That and Beck's were the dominant beers. A few times in the US, folks with a German-beer fetish have brought Bitburger or Warsteiner to a party. Not good.

Jever was better on tap, but I have not worked up the curiosity to buy it bottled in the US.

Sorry, couldn't understand what you wrote. Could you translate to American?

No, it's not free at all. It's an investment. That is, it ties up your money and subjects you to risk. Not free.

Apparently it's a profitable investment, which, if you're a government that can afford to take that risk, is a better deal than free.

"Free" is a decent approximation for casual conversation, then. But it's not free. Call it what it is. A profitable investment!

That's a tough sell. Most of the popular German beers are only around 5%. That's more than Bud Light but not outside the range that any college student would be used to. But many of those are served at ~350 mL (12 oz). Weizenbier is often served by the half liter, but that's just a pint. The only German beer that's regularly served in a Mass (liter) is Munich beers. Those are often ~4%. So you're really down to just Munich festbier, which can be north of 5% and served in two-pint glasses.

The real devil is the undertrained American bartender who will pour you a pint of a Scotch ale, Russian Imperial Stout, Belgian quad, barleywine, or big double IPA. Oof.

To be fair, if you go to any sizable store or gathering in Germany, it's quite clear that the vast majority of what anyone sells, buys, or drinks is crap like Beck's.

Weizenbier is probably the most widely-available good beer in Germany. (Though, IMO, a Jever will do in a pinch.) More regionally, helles, festbier, and dunkel from respected breweries are good. Same with rauchbier or schwartzbier, but those are an odder flavor and less common. Koelsch is excellent.

There are some good Pils also, but it's not a flavor everyone likes, and it's so popular in the mass market that you've got to be careful about what you're buying.

That's so 2000s.

Now it's Belgians. No, wait, sorry, that was two years ago. Saisons? "Farmhouse"? No, that was last year. Sours. I think it's sours now. Especially gose or barrel-aged. Though there's always been a level of support for anything barrel-aged, especially if the alcohol level makes you double check to make sure it's not wine you're buying.

The hoppiness is probably a byproduct of the fact that we have good hop breeding labs and a lot of brewers tired of beer with no bitterness. (Incidentally, Germany has good hop breeding labs, too, but they have a hard time selling their more aggressively-flavored products locally. Sad for a country that's fighting losing one of the world's finest hops to disease and that processes a ton of delicately-flavored hops into canned hop extract.)

Also, it's dextrose-heavy double IPAs that taste like an ethanol-water hop tea. (Or, if you prefer, triple-strength Bud Light with hops.) Even quite hoppy single IPAs still have a noticeable malt presence and yeast esters.