Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Slashdot Deals: Deal of the Day - Pay What You Want for the Learn to Code Bundle, includes AngularJS, Python, HTML5, Ruby, and more. ×

Comment Sustainable password hashing (Score 1, Informative) 77

I'm tooting my own horn, but you might find my article on long-term password hashing strategies helpful:


TL;DR version:
1) Use a one-way collision-resistant algorithm developed by professional cryptographers, and the implementation of which has been adequately studied and understood;
2) Do not use an algorithm with known vulnerabilities (this obvious step is sometimes not followed);
3) Use randomly-generated data—salt as additional input to the algorithm to minimize vulnerability to rainbow/lookup table attacks. The salt should be generated from a Cryptographically Secure Pseudo-Random Number Generator;
4) Use a long salt, preferably as long as the output of the hash function;
5) Use an adaptive hashing algorithm—that is to say, an algorithm with a configurable number of encryption iterations to slow attackers (a.k.a. key stretching). The number of iterations can be tuned as the speed of available hardware increases to keep the resulting hash secure. Such choices include PBKDF2, bcrypt and now scrypt.
6) At at some point you will need to change your hashing function, in fact, probably many times. So store the algorithm along with the hash e.g. ALG:HASH:SALT
7) secure legacy hashes by wrapping the obsolete hash with a new one e.g. encrypt the md5 hash of the guy who hasn't logged in for years in your new hashing algorithm and store it with a token like md5|pbkdf2:hash:salt

Comment Lets have the data (Score 1) 634

This doesn't have to be complicated. All Google has to do is release their hiring statistics to a trusted third party, who interviewed during the last few years and who was hired for each position. Then the third party can investigate and find out the ages of everyone (which won't be hard). Then break it down by age group and see if there is a difference between how well applicants succeed based on age. This won't happen because I'm pretty sure Google knows how it will look

Submission + - Ask Slashtot: Joining a Startup as an Older Programmer?

bdrasin writes: I've had a series of interviews with a late-term startup (approx. 300 employees) and I think there is a good chance they will make me an offer. The technology is great, my skills and interests are a good fit for the position, I think the company has a promising future, and I like they team. Frankly I'm damn excited about it, more so than for any job in my career.

However I'm worried about what could euphemistically be called "cultural" issues. I'm a few years over 40, with a wife and kids, and all of the engineers at the company seem to be at least 10 years younger than I am. Being at the company's office gives me a distinct old guy at the club feeling.

I don't think the overall number of hours the team works is more than I could handle, but the team does a lot of young-single-guy-at-a-startup group activities (rent-a-limo-and-go-clubbing night, weekends in Tahoe, burning man, in-office happy hour) that I wouldn't want or be able to participate in; I need to be home with my family for dinner most nights and weekends and so on.

I'm wondering if anyone else has had the experience of working at a startup with, or as, an older programmer, and how it worked out?

Take your work seriously but never take yourself seriously; and do not take what happens either to yourself or your work seriously. -- Booth Tarkington