This oral history of password storage on the Web originally appeared as a remark in the #infosec channel of the Hangops slack—the conversation had turned to a mention of “hashed, salted passwords” in a breach announcement in a way that made me suspect at least some of our friends had not studied the topic in detail. Several participants then encouraged me to expand the remark into a blog post, and now here we are.While I was around for some of this, much of it predates my career; everything is as accurate as I can reasonably make it, but corrections of gross errors are welcomed.The first time people attempt to design a Web login system, they will usually default to simply inserting their users’ passwords in their database. This solution is simple, obvious, and wrong.The problem is that database storage is not nearly as private as we would all like it to be. Even the databases that we’d
Allie cite-reader
cite-reader
/ history-of-password-storage.md
Last active
July 9, 2020 18:24
An oral history of password storage
cite-reader
/ Cargo.toml
Created
September 21, 2019 19:29
Example code for authenticating CURVE peers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [package] | |
| name = "curve-authenticator" | |
| version = "0.1.0" | |
| edition = "2018" | |
| [dependencies] | |
| env_logger = "0.6" | |
| log = "0.4" | |
| zmq = "0.9.2" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| extern crate clap; | |
| use clap::{Arg, App}; | |
| fn main() { | |
| let matches = App::new("A test") | |
| .arg(Arg::with_name("has-default") | |
| .short("d") | |
| .takes_value(true)) | |
| .get_matches(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [package] | |
| name = "openssl-ex" | |
| version = "0.1.0" | |
| authors = ["Alex Hill <[email protected]>"] | |
| [dependencies.openssl] | |
| version = "0.7" | |
| features = ["tlsv1_2"] |
cite-reader
/ valid_utf8_prefix.rs
Created
May 14, 2016 05:36
Sometimes you want to parse as much UTF-8 as possible.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //! Parsing UTF-8 prefixes out of bytes | |
| /* | |
| Copyright 2016 Alex hill | |
| Licensed under the Apache License, Version 2.0 (the "License"); | |
| you may not use this file except in compliance with the License. | |
| You may obtain a copy of the License at | |
| http://www.apache.org/licenses/LICENSE-2.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- https://twitter.com/rowletbot/status/730385243958554624 | |
| module Main (main) where | |
| import Control.Concurrent (threadDelay) | |
| import Control.Monad (forever) | |
| -- | __spins furiously__ | |
| main :: IO () | |
| main = forever $ do |
cite-reader
/ pollen.rkt
Created
November 19, 2015 00:51
I was going to write something, but wrote a tool to render what I'd written instead.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #lang racket/base | |
| (require (for-syntax racket/base) | |
| pollen/world pollen/decode racket/function hyphenate) | |
| (provide (except-out (all-defined-out) | |
| default-postprocessor define-tag-handler | |
| define-trivial-html-handler)) | |
| (module config racket/base | |
| (provide poly-targets) |
cite-reader
/ lib.rs
Created
September 30, 2015 17:57
Cracking the Coding Interview exercise: baby names
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use std::collections::HashMap; | |
| pub fn aggregate_baby_names<'a>(name_frequencies: &[(&'a str, usize)], | |
| name_mappings: &[(&'a str, &'a str)]) | |
| -> Vec<(&'a str, usize)> | |
| { | |
| let mut disambiguation = HashMap::with_capacity(name_mappings.len()); | |
| let mut coalesced_index = 0; | |
| let mut canonical_names = Vec::with_capacity(name_frequencies.len()); | |
| for &(syn1, syn2) in name_mappings { |
cite-reader
/ 0001-Guess-in-parallel.patch
Created
October 19, 2014 18:11
Haskell: easiest parallelization ever.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From 076066f4d671c59924c2425e20e4697cbce816e0 Mon Sep 17 00:00:00 2001 | |
| From: Alex Hill <[email protected]> | |
| Date: Sun, 19 Oct 2014 11:06:18 -0700 | |
| Subject: [PATCH] Guess in parallel. | |
| --- | |
| matasano-challenge.cabal | 5 +++-- | |
| src/Main.hs | 3 ++- | |
| 2 files changed, 5 insertions(+), 3 deletions(-) |