Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Comment Re:Hashed and salted is obsolete (Score 1) 80

Also, the whole point is that key derivation is slow. Of course the "secret from which keys are derived" is available (it is necessarily so; it's stored, along with the cost factor, as part of bcrypt's output, for example). But the fact that you have to through 2^N iterations, where N is usually >= 10, throws a meaningful speedbump in front of high-speed cracking. Now instead of brute forcing any given 7-character alphanumeric case-sensitive passwords in ~half an hour, it'll take you > 20 days on average.

Comment Re:Hashed and salted is obsolete (Score 1) 80

The key derivation functions can be literally several orders of magnitude harder to brute force. And their difficulty can be chosen with simple parameters, with sane defaults. There is really no comparison between a singly salted hashed password and bcrypt/scrypt.

Check out table 1 in this paper to get a sense: https://www.tarsnap.com/scrypt/scrypt.pdf

Comment Re:Hashed and salted is obsolete (Score 1) 80

Assuming the cracker has access to the salt and a GPU, the only thing keeping users safe now is the entropy inherent in the passwords they chose.

It doesn't have to be like that. Instead of plugging in Good Salted Hashed Password Library, you can plug in Bcrypt Library or Scrypt Library *and protect even the users who chose bad passwords*.

Comment Re:Hashed and salted is obsolete (Score 1) 80

Can you explain this a bit more?

If the hackers didn't get the salt, and only have the salted hashes, and let's say the salt is, say, a 20 character random phrase using numbers, letters and symbols, what is the weak spot?

I'm sure many /. users are implementing systems like this using salted hashes, so if there's an inherent weakness (other than the salt becoming exposed) I'm sure it would be useful if there was a straightforward explanation.

The size of the salt is relevant only insofar as you want to be sure that each user has their own unique salt. The salt is stored in plaintext (or, I suppose, it could be encrypted, but then the decryption key must then be stored in an accessible place). The point is that the crackers must be assumed to have recovered the salts.

So now those salts protect you against pre-computed hashes. The cracker has to attempt each password individually. But most people use one of the few thousand most common passwords. And inexpensive modern hardware lets you attempt billions of SHA hashes per second. So... Salted and hashed does very little for you at this point.

Instead of salting and hashing, use a key derivation function (e.g., bcrypt, scrypt).

Comment Re:NEWS FLASH (Score 1) 196

... RNA misspellings originally discovered in the white blood cells were also in the skin cells. And the misspellings aren’t just rare, random mistakes. “When DNA and RNA differ from each other it happens in nearly every RNA” copy, Li says.

This supports what canajin56 was saying.

Comment Re:More like a flaw in statistics (Score 1) 437

Yes, that's the right thing to do. As I said the first time, "Ambulances in the US will take you to the nearest hospital with appropriate facilities for your condition." Since the hospital that was a bit further was a facility more appropriate for your grandmother's condition, it was right to take her there.

Slashdot Top Deals

Your code should be more efficient!