Today I am reviving an old blogging tradition of posting some interesting or useful links with little or no context. Today’s topic: Passwords.
4 fatal flaws in deterministic password managers
Sync-less password managers are trending again, Tony Arcieri breaks down some reasons why they suck.
NIST’s New Password Rules
For developers: I pull this article from the link above, there are a few counterintuitive suggestions in this doc.
Made my first post over at the company blog. Thought it would only be appropriate to give it some link love over here. My thoughts on the future of password: Rethinking Passwords.
In a recent episode of Build & Analyze Marco Armet (creator of Instapaper) explained that the standard practice of salting a hash is no longer a really good way to secure passwords. CPUs (and GPUs) are so fast that they can effectively guess your salt in a reasonable amount of time*.
The solution, use bcrypt. Essentially, it’s an extremely slow hashing algorithm.
To me this seems a little bit like security through obscurity, every once in awhile – as CPU speed increases – you’ll have to update your algorithm to generate hashes even slower.
See also.
*A modern server can calculate over 300MB of hash data per second!
Why won’t my bank allow me to use non-alpha-numeric characters in my online banking password?!
Don’t they want my password to be as secure as possible?