Andrew Cooke | Contents | Latest | RSS | Previous | Next

C[omp]ute

Welcome to my blog, which was once a mailing list of the same name and is still generated by mail. Please reply via the "comment" links.

Always interested in offers/projects/new ideas. Eclectic experience in fields like: numerical computing; Python web; Java enterprise; functional languages; GPGPU; SQL databases; etc. Based in Santiago, Chile; telecommute worldwide. CV; email.

Personal Projects

Choochoo Training Diary

Last 100 entries

[Programming] React Leaflet; AliExpress Independent Sellers; Applebaum - Twilight of Democracy; [Politics] Back + US Elections; [Programming,Exercise] Simple Timer Script; [News] 2019: The year revolt went global; [Politics] The world's most-surveilled cities; [Bike] Hope Freehub; [Restaurant] Mama Chau's (Chinese, Providencia); [Politics] Brexit Podcast; [Diary] Pneumonia; [Politics] Britain's Reichstag Fire moment; install cairo; [Programming] GCC Sanitizer Flags; [GPU, Programming] Per-Thread Program Counters; My Bike Accident - Looking Back One Year; [Python] Geographic heights are incredibly easy!; [Cooking] Cookie Recipe; Efficient, Simple, Directed Maximisation of Noisy Function; And for argparse; Bash Completion in Python; [Computing] Configuring Github Jekyll Locally; [Maths, Link] The Napkin Project; You can Masquerade in Firewalld; [Bike] Servicing Budget (Spring) Forks; [Crypto] CIA Internet Comms Failure; [Python] Cute Rate Limiting API; [Causality] Judea Pearl Lecture; [Security, Computing] Chinese Hardware Hack Of Supermicro Boards; SQLAlchemy Joined Table Inheritance and Delete Cascade; [Translation] The Club; [Computing] Super Potato Bruh; [Computing] Extending Jupyter; Further HRM Details; [Computing, Bike] Activities in ch2; [Books, Link] Modern Japanese Lit; What ended up there; [Link, Book] Logic Book; Update - Garmin Express / Connect; Garmin Forerunner 35 v 230; [Link, Politics, Internet] Government Trolls; [Link, Politics] Why identity politics benefits the right more than the left; SSH Forwarding; A Specification For Repeating Events; A Fight for the Soul of Science; [Science, Book, Link] Lost In Math; OpenSuse Leap 15 Network Fixes; Update; [Book] Galileo's Middle Finger; [Bike] Chinese Carbon Rims; [Bike] Servicing Shimano XT Front Hub HB-M8010; [Bike] Aliexpress Cycling Tops; [Computing] Change to ssh handling of multiple identities?; [Bike] Endura Hummvee Lite II; [Computing] Marble Based Logic; [Link, Politics] Sanity Check For Nuclear Launch; [Link, Science] Entropy and Life; [Link, Bike] Cheap Cycling Jerseys; [Link, Music] Music To Steal 2017; [Link, Future] Simulated Brain Drives Robot; [Link, Computing] Learned Index Structures; Solo Air Equalization; Update: Higher Pressures; Psychology; [Bike] Exercise And Fuel; Continental Race King 2.2; Removing Lowers; Mnesiacs; [Maths, Link] Dividing By Zero; [Book, Review] Ray Monk - Ludwig Wittgenstein: The Duty Of Genius; [Link, Bike, Computing] Evolving Lacing Patterns; [Jam] Strawberry and Orange Jam; [Chile, Privacy] Biometric Check During Mail Delivery; [Link, Chile, Spanish] Article on the Chilean Drought; [Bike] Extended Gear Ratios, Shimano XT M8000 (24/36 Chainring); [Link, Politics, USA] The Future Of American Democracy; Mass Hysteria; [Review, Books, Links] Kazuo Ishiguro - Never Let Me Go; [Link, Books] David Mitchell's Favourite Japanese Fiction; [Link, Bike] Rear Suspension Geometry; [Link, Cycling, Art] Strava Artwork; [Link, Computing] Useful gcc flags; [Link] Voynich Manuscript Decoded; [Bike] Notes on Servicing Suspension Forks; [Links, Computing] Snap, Flatpack, Appimage; [Link, Computing] Oracle is leaving Java (to die); [Link, Politics] Cubans + Ultrasonics; [Book, Link] Laurent Binet; VirtualBox; [Book, Link] No One's Ways; [Link] The Biggest Problem For Cyclists Is Bad Driving; [Computing] Doxygen, Sphinx, Breathe; [Admin] Brokw Recent Permalinks; [Bike, Chile] Buying Bearings in Santiago; [Computing, Opensuse] Upgrading to 42.3; [Link, Physics] First Support for a Physics Theory of Life; [Link, Bike] Peruvian Frame Maker; [Link] Awesome Game Theory Tit-For-Tat Thing; [Food, Review] La Fabbrica - Good Italian Food In Santiago; [Link, Programming] MySQL UTF8 Broken; [Link, Books] Latin American Authors

© 2006-2017 Andrew Cooke (site) / post authors (content).

StackOverflow Security Expert

From: andrew cooke <andrew@...>

Date: Fri, 12 Jul 2013 14:19:15 -0400

This has been deleted from StackOverflow, so I want to record some information
here.

The question was a vague one about "security".  The answer focused on password
management and gave what was best practice 10 years ago, but not now - salt
and hash.

Then there were these comments (me first):

   you should be using PBKDF2 or scrypt for passwords, not rolling your
   own. something like you describe doesn't give good enough safety for
   typical passwords - there's no adjustable work factor. someone with a
   cracker who steals your db will crack many... - andrew cooke Jun 30 at
   18:09

   @andrewcooke Actually PBKDF2 will increase your computational need in the
   server, thus slowing down the login process. This could result in over
   taxation of server resources, resulting in a crash due to low memory or a
   denial of service during peak times, even on pretty good hardware. The
   reason I suggest staying away from PBKDF2 and other memory bound KDFs is
   because it is simply unnecessary. There is no benefit except that it slows
   dictionary attacks if your database is compromised and exported for making
   local attacks. I did not "roll my own" in my answer, I used standard
   algorithms. - Mxxxxxx J. Gxxx Jun 30 at 18:14
 	
   @andrewcooke To address another point in your comment, you also need to
   realize that you shouldn't be protecting people with silly passwords. It is
   generally up to the user to be responsible for choosing a decent
   password. As long as you store it in a sane manner, you are doing your
   job. Remember that if your users can't log in because your resources are
   used entirely, you are doing worse by trying to help more. - Mxxxxxx
   J. Gxxxx Jun 30 at 18:21

Note that final gem: "YOU SHOULDN'T BE PROTECTING PEOPLE WITH SILLY
PASSWORDS".  So he's throwing what, more than half his users, under the 
bus...

Awesome.

Andrew

Re: StackOverflow Security Expert

From: Michiel Buddingh' <michiel@...>

Date: Sun, 14 Jul 2013 21:14:47 +0200

That's almost an argument for storing passwords in plain text.  You
need only one query over the password list, sorting by frequency, to
realize that '123456' is the most frequent password amongst your
customer base, and 'secret' the second-most.

That being said, the first thing anyone implementing password storage
should consider is whether there are alternatives.  OpenID, OAuth,
even Facebook Connect despite the privacy implications.

From a purely technical standpoint, key-strengthening is enormously
preferable to hashing, but usability is no less a part of security,
and if your service requires your users to remember an additional password,
you're not doing them a favour.

--
Michiel

Comment on this post