Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Be insainly great. (Score 1) 428

Well... here's the thing. 99% of people just don't need more than 16 or 32 GB of RAM. I don't do any video editing, but at any given time, at work, I have several VMs open, Chrome or Firefox which tend to hog memory, a couple of development environments (usually PyCharm, VS, Android Studio or Eclipse), and several more lightweight stuff - IPython, Sublime Text and a couple more.

At max, if I set the VMs to too much RAM, this adds up to about 16 gigs of RAM. 32 gigs? No way I could get up to that. Maybe if I had an itch to keep 30 tabs open in Chrome instead of my usual ~6.

In the past with weaker computers, I used to ration my RAM. Haven't needed to do that in the last couple of years. Same goes for CPU - anything that's not really computationally expensive just doesn't take a long time to run nowadays. We've more or less reached the point where computers are good enough.

Comment Re:Cyberwar may be neccesary as a learning moment (Score 1) 57

Not so sure about that.
We've had the internet, up alive and working for what, going on 20 years now? With no major outages? Redundancy every step of the way? I think it's OK to assume that the Internet will be around excepting armageddon or maybe a world war.

That said, any one system can be taken offline by targeting it specifically.

Comment Answers (Score 5, Informative) 77

Where do I perform hashing (smartphone/web client or server)?
You hash twice, with different salts - once on the client side and once again (i.e., hash the hash) on the server side. The doubly-salted, doubly-hashed password is the one you store.

What hash algorithm should I use?
You said it yourself - bcrypt. bcrypt allows you to set a cost, which increases password brute-forcing difficulty but also increases computational cost on every verification. Set the cost to be the maximum you can handle - if you have a stronger computer and fewer users, you can set a higher cost.

How do I store the hashes?
Chrome uses encrypted SQLite for browser saved passwords. Which encryption depends on the platform - Windows has CryptProtectData, KDE and Gnome have keyrings. The basic idea for all of these is to use some symmetric encryption algorithm (e.g. AES) with the key derived from some set of hashes on machine-specific data, like hardware serial numbers. If you want to go hardcore, use a hardware encryption dongle (HSM).
Note that it is important to encrypt the file on disk, but it is also important to make sure that decrypted hashes stay in server memory for as little as possible.

How can clients recover forgotten passwords?
They can't recover forgotten passwords - you're only storing hashes, remember? What they can do is reset their password. Two factor authentication is best (a verified email account and phone number, if you can send SMSes or automated calls), but at least email and a security question seems to be the standard.

Slashdot Top Deals

Elliptic paraboloids for sale.