Links for Today: Passwords

Today I am reviving an old blogging tradition of posting some interesting or useful links with little or no context. Today’s topic: Passwords.

4 fatal flaws in deterministic password managers
Sync-less password managers are trending again, Tony Arcieri breaks down some reasons why they suck.

NIST’s New Password Rules
For developers: I pull this article from the link above, there are a few counterintuitive suggestions in this doc.

TLDR – Just use 4 easy to remember words

Assault on the Hash (or how to make secure your passwords)

In a recent episode of Build & Analyze Marco Armet (creator of Instapaper) explained that the standard practice of salting a hash is no longer a really good way to secure passwords. CPUs (and GPUs) are so fast that they can effectively guess your salt in a reasonable amount of time*.

The solution, use bcrypt. Essentially, it’s an extremely slow hashing algorithm.

To me this seems a little bit like security through obscurity, every once in awhile – as CPU speed increases –¬†you’ll have to update your algorithm to generate hashes even slower.

See also.

*A modern server can calculate over 300MB of hash data per second!