Always salt your hashes.

>eating hash browns in 2017
fuck off meat eater

File: 1455455737080.jpg (488KB, 1152x1536px)

488KB, 1152x1536px

>>58352132
Is this the new humor thread

File: Jk8ZzkM.jpg (128KB, 396x482px)

128KB, 396x482px

>>58352132
>tfw you use CRYPT_BLOWFISH with 7 rounds but at the same time too lazy to implement https for login and registration

File: 1302111113219.jpg (2KB, 126x70px) Image search: [Google]

2KB, 126x70px

>>58352132
moderate kek

What's a good frozen hash brown and do i need a deep fryer?

>>58352535
What do you mean implement. Just tell your framework to use HTTPS everywhere, point it to your certificate, and you're done.

>>58352132
>server
>passwords
>hashes not salted
>2017
It still happens

>>58352535
Let the web server do the job. If your application has its own web server, point an nginx or Apache or lighttpd reverse proxy with HTTPS at it.
That also adds the convenience of being able to read clear-text traffic on your end.

>>58352925
i don't want to use https on whole site because I don't want to buy paid cert

letsencrypt is only good enough for login/registration for me

>>58352132
4chan's secure tripcode salt was like literally LOLOLOLOLOL or something like that.

Someone found it out and started cracking secure trips so they had to change it.

>>58352994
>letsencrypt is only good enough for login/registration for me
How so? Why not the whole site?

>>58352997
>tripcode salt
huh

>>58352955
Heh, makes me remember when Apple Cloud got brute forced in 2014.

>>58353008
read again
>secure tripcode salt

>>58353008
oh, only applies to "secure" tripcodes
>>58353015
yeah thx

test#FE9t'Hk.qi#faggot

>>58353006
letsencrypt is still not trusted by all browsers/systems (old ones)

>>58353042
what old systems do you mean? If I remember correctly (tested this a while ago) even the Android 2.3 browser works

and looks like XP does as well

https://letsencrypt.org/upcoming-features/
>Windows XP Certificate Compatibility
>Enabled: March 25, 2016

>>58353098
look here
https://letsencrypt.org/docs/certificate-compatibility/

File: 1327416057776.jpg (46KB, 543x499px) Image search: [Google]

46KB, 543x499px

>>58353148
> Blackberry OS v10, v7, & v6
> Android < v2.3.6
> Nintendo 3DS
> Windows XP prior to SP3 - cannot handle SHA-2 signed certificates
> Java 7 < 7u111
> Java 8 < 8u101
should't really be concern IMO

>>58353190
xhamster recently switched to https and they don't use letsencrypt

they know why

my traffic comes from around the world with some of most obscure configs

>>58352162
Expound.

>>58352132
but where is the salt stored? I never understood this. Wouldnt it be easy to find the salt in cleartext?

How did we come to using the word "salt" in a technology variation

Who though "this key should be named 'salt'"?

>>58353765
You can just attach the salt to the hashed password. It's not actually important that the salt be kept secret (although you can try and keep it secret, in which case it's called a pepper instead).

The point of a salt is to make precomputed hash tables useless. Giant rainbow tables of common passwords and their hashes are easy to find floating around. Without a salt, all a hacker has to do is look up the hash. With a salt, he has to compute an entirely new table, which is an expensive process. If every hash had a different salt, he has to make a new table for every password, slowing him down significantly.

>>58352132
And when possible use something like bcrypt or scrypt.

>>58353267
So long as you don't support SSLv2.

>>58353739
thee probably animal product in the greasy exterior?

>>58352132
I don't have a PhD in Mathematics. How am I supposed to understand this joke? This is discrimination.

>>58358062
Computers are racist

>>58352162
>fuck off meat eater
You are weak and will not survive the winter.

>>58352601
Just go to the store and buy some hash browns.

You can probably order some online if your ultra agoraphobic.

You don't need no deep fryer. Shit you can put those bad boys in a toaster, or a microwave. Hell use a blow torch if you're homeless and don't have a kitchen.

>>58355695
>>58353765

To be specific, suppose you use a two-character salt with 64 possible characters (like the Linux crypt() function). Then you've got 4096 different salt combinations, and very few attackers care to keep 4096 rainbow tables around.

The key here is that users are assholes so the salt protects *common* passwords. For example, if you have 4000 assholes who use "password" for a password then without a salt they'll hash to:

xQPHYlVDIw6

The attacker can look in your password database and see that 4000 people have this one hash, and once they break it they gain entry to 4000 accounts.

But if you salt each asshole's password with a different combo, then your attacker gets something like:

aajfMKNH1hTm2
abJnggxhB/yWI
acBxUIBkuWIZE
advwtv/9yU5yQ

Your attacker can see the salts in plain text (the first two characters of each hash- aa, ab, ac, and ad). But, they can't easily see that each hash is the same password. Moreover, if they manage to break the first hash, they haven't automatically broken the other three.

>>58358494
thanks. this pretty well clears up my question. I guess I thought salting was supposed to make finding the password impossible. I've never seen it discussed anywhere.

File: Crispy-Hash-browns.jpg (1MB, 3128x2346px) Image search: [Google]

1MB, 3128x2346px

>>58352601
>Buying overpriced frozen prepackaged food
I bet you buy pre-built desktops as well you normie.

>buy a sack of regular potatoes
>get out your cheese greater or get a cheap one
>shred the spuds to your liking
>get out any old frying pan or skillet
>put some butter or oil on it, whatever is more convenient
>fry hash
>salt hash
>put what ever else you want, pepper, spice, etc.

Literally 3 extra minutes to making the best and cheapest hash every time all the time.