Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

Comment: Re:Ummmm... (Score 1) 241 241

There's better options than PBKDF2, like scrypt. Also, both require you to chose some parameters; PBKDF2 with a salt of String.Empty, hash algorithm of MD5, and iteration count of 1 is... just an MD5-hashed password. Obviously, those are terrible and stupid parameters, but if people were *good* at choosing secure options then this whole thread wouldn't exist. At least scrypt *only* has the work factor, and it's pretty straightforward.

Comment: Re:Security theater questions (Score 1) 241 241

There's generally no way to send the user a secure (i.e. encrypted) message. All you can do is make the token short-lived and hope that nobody is intercepting server-to-server email traffic (and that the user's email account is secure, both from malicious clients and from server-to-client interception). It sucks, but until email encryption of one sort or another becomes more ubiquitous, it's the only workable option.

Comment: Don't encrypt! (Score 1) 241 241

Don't ever store passwords (reversibly) encrypted. Don't even (just) hash them; hash functions are way too fast (and yes, fast is bad here). There should be no way for anybody to get the password out of the info stored in the database, even if they know all your keys.

Use a slow key derivation function instead. PBKDF2 is popular, because it's easy to understand and widely supported; it's basically just taking a value (the password), salting it (you are using a strong, cryptographically random, per-user salt... right?) hashing it, salting the resulting digest again, hashing the salted digest, and repeating the last two steps over and over (tens of thousands of iterations are common). At the end of that, you compare the resulting digest to the value stored in the database; if they match, the user is authenticated. Obviously, don't try implementing this yourself; even simple crypto should always be written by an expert, and you should use the resulting library. There are lots of places to find it, though.

Alternatively, you can use the purpose-built algorithms like scrypt or bcrypt. These are more complex (and less widely implemented) than PBKDF2, but they also offer more advantages against brute forcing, such as requiring a lot of RAM during the computation so you can't build a massively parallel hash-cracking machine (a commodity GPU can do billions of hashes per second in parallel; these algorithms make those parallel attacks harder).

Comment: Re:Delete? (Score 1) 119 119

I'm glad to see someone besides me on /, isn't terrified of Facebook.

I use it and I think it's relatively harmless as long as you understand, as Rasperin says, it's a loud speaker. I expect everything I post on FB will be available to everyone, everywhere, forever. I long ago, many years before Facebook was a thing, figured out that if I never posted anything online I wouldn't want my sainted mother to see, I'd never have anything to worry about*. I speak my mind freely, but I would have no problem if my mother, my wife, my boss, my kids or my pastor were to see anything I've posted.

* Now, of course, that doesn't mean some day in the near future agents of the Ministry of Love won't show up at my door to conduct me to a re-education camp for my political views, but at least I know my mother won't be ashamed of me.

Comment: Re:False Flag (Score 2) 192 192

"Honestly, things which 10 years ago would have been the domain of crackpots is now 100% fact."
No. I keep hearing this but you guys must have lived on another planet. The fact that all governments sucked up just about all international communications dates back to the invention of the telegraph and maybe back to the mail.
Any idea that they were not monitoring all clear text transmissions over the internet frankly I find just dumb. As far as meta data that was always up for grabs.
False flag operations? That is in the realm of tin foil hats and crackpots. Frankly the rest of it is just common knowledge to anyone with a brain.

Comment: Re:Stuxnet (Score 1) 378 378

Now I don't want to be accused of defending the NSA, but they are not exactly the most transparent organization in the world. Just as with the FBI, CIA and DHS, we can point to their obvious screw-ups and overreaches but I for one believe that the fact that we are not being nickel-and-dimed on the terrorist front is due in part to their work.

I mean, they have the records of 8 scrillion phone calls and access to everyone's hard drives. One would hope that they are actually able to do something with all that.

Comment: Re:Nope! (Score 1) 378 378

Iran's only way out of it is to drop the nuclear program and stop being assholes.

Unless their plan is to nuke everyone and let Allah sort it out. You can't discount the idea that the Muslim extremists _want_ to see the world burn. Does the majority of the country want this? I seriously doubt that, but the mullahs sure do.

Unix: Some say the learning curve is steep, but you only have to climb it once. -- Karl Lehenbauer