Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
And then you’ll have to deal with all the bitching from the admin type folk who are so fucking useless they get locked out constantly 😆
-
Root797675y@badcopnodonuts Truth. There's no "forgot password" flow either. Not looking forward to writing that.
-
Why would anyone ever do a fixed salt? It's easy to generate a random string and save it in the database....
-
@AlgoRythm I think it's actually called "pepper", but one should use it with conjunction with salt. If you don't have app sources and its config (which contains pepper used) but only the DB, cracking those passwords is more painful because you have to figure out the pepper.
-
Ansis945yCould someone please tell me what would be the proper way of salting and storing the hashes? I haven't really studied security much.
-
@theunknownguy bcrypt automatically salts passwords. I'm a bit concerned that you are convinced that you're not salting passwords, consider it okay and recommend this approach to others. Maybe it's time to update your basic password handling knowledge?
-
@gronostaj wow calm down mate, where did I mention I was recommending the other person? Where did I mention BCrypt does or does not salt the password?
-
@theunknownguy
> Ansis: Could someone please tell me what would be the proper way of salting and storing the hashes?
> You: @ Ansis I use BCrypt without any salt
I didn't mean to offend you, it was just an honest suggestion.
Related Rants
-
redskabsskuret7I think I laught too much about this!
-
AnonymousDev18I was reviewing one dev's work. It was in PHP. He used MD5 for password hashing. I told him to use to password...
-
retnikt17Google: Don't use a password from another site, or something too obvious like your pet's name. Me: 5f4dcc3b5a...
!security
(Less a rant; more just annoyance)
The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.
The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄
Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)
I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.
But it's friday, so I must unfortunately wait. :<
rant
unsafe hashing
md5
security through obscurity
almost-public passwords