undefined | Better HN

0 pointsraverbashing11y ago0 comments

I'm not arguing against bcrypt/scrypt per se.

I'm arguing that there may be advantages in using standardized methods (for interoperability) and especially implementations.

Which one is safer, using PBKDF2 from a known implementation or the "bcrypt library" for Ruby/Node that someone just posted to github? Oh what do you mean that's not how you read secure random numbers?

0 comments

mpyne11y ago

> Which one is safer, using PBKDF2 from a known implementation or the "bcrypt library"

What kind of dilemma choice is that? It should rather be:

"Which one is safer, using PBKDF2 from a known implementation or bcrypt from a known implementation?"

But even that question is erroneous. After all, why shouldn't we just use PBKDF2 from RSA's known BSAFE implementation? What could possibly go wrong with that?

Or if you don't like RSA because of da Feds, why not use the known-good OpenSSL for securing data in motion instead of something new and untested like stunnel or spiped?

Known implementations are a very good consideration factor. You should use TLS (though maybe not OpenSSL's) in general instead of designing your own secure transport. But being from a known implementation should not be the only factor you consider otherwise you're just cargo culting. You have to understand pros/cons of each solution, even if that means you have to learn a little bit about the problem space.

raverbashingOP11y ago

Yes, "Bob's bcrypt lib" is safer (apart from some serious mistake or compromise, which are not rare) than hashing your passwords with a rock-solid sha1 library.

"But being from a known implementation should not be the only factor you consider otherwise you're just cargo culting"

Of course

In the same way some people blindly answer "use bcrypt" to any mention of password hashing.

mpyne11y ago

> In the same way some people blindly answer "use bcrypt" to any mention of password hashing.

It's almost like there was a reason I explicitly decried cargo culting (yes, that counts too) and blind answers instead of understanding.

Could you try to read and understand the comments that are left instead of responding to points that were never made?

tptacek11y ago

The bcrypt library.

raverbashingOP11y ago

https://github.com/dcodeIO/bcrypt.js/blob/master/src/bcrypt....

j / k navigate · click thread line to collapse

0 comments

mpyne11y ago

> Which one is safer, using PBKDF2 from a known implementation or the "bcrypt library"

What kind of dilemma choice is that? It should rather be:

"Which one is safer, using PBKDF2 from a known implementation or bcrypt from a known implementation?"

But even that question is erroneous. After all, why shouldn't we just use PBKDF2 from RSA's known BSAFE implementation? What could possibly go wrong with that?

Or if you don't like RSA because of da Feds, why not use the known-good OpenSSL for securing data in motion instead of something new and untested like stunnel or spiped?

raverbashingOP11y ago

Yes, "Bob's bcrypt lib" is safer (apart from some serious mistake or compromise, which are not rare) than hashing your passwords with a rock-solid sha1 library.

"But being from a known implementation should not be the only factor you consider otherwise you're just cargo culting"

Of course

In the same way some people blindly answer "use bcrypt" to any mention of password hashing.

mpyne11y ago

> In the same way some people blindly answer "use bcrypt" to any mention of password hashing.

It's almost like there was a reason I explicitly decried cargo culting (yes, that counts too) and blind answers instead of understanding.

Could you try to read and understand the comments that are left instead of responding to points that were never made?

tptacek11y ago

The bcrypt library.

raverbashingOP11y ago

https://github.com/dcodeIO/bcrypt.js/blob/master/src/bcrypt....

j / k navigate · click thread line to collapse