If you look at the modules that return when searching.. the vast majority of them are either directly dependent on the bcrypt module or have submodules that are. There is definitely duplication going on, but it isn’t as bad as the results of a search imply. The search results include multiple fields (tags, descriptions, dependencies.. etc) that match “bcrypt”, which could include things like: “why use bcrypt when you can use scrypt!?”
And bcrypt is… situational… pbkdf2 - doubly so. Learn what it is, think about why linux distros use sha512, think a little bit more about interoperability, maintainability, attack vectors… and then choose what hash function you should use. Those “Use bcrypt. Use bcrypt. Use bcrypt.” articles are worthless.
I’ve seen this “don’t just use bcrypt” meme elsewhere and I really don’t understand where it’s coming from. Contrarianism? The same NIH virus that has evidently infected node.js?
If there’s one thing we should try to bang into programmers' brains, it’s that they should use a good KDF - and bcrypt is in every crypt I can think of, is plenty secure[1], and just plain works. I’d much rather have someone say “just use bcrypt” than “just use a salt and md5”.
[1] I know Percival’s scrypt paper is over a decade old, but it’s still indicative of the costs to break bcrypt… just bump up the cost if anything.
I read that as “stop telling people not to think”. Change “just use bcrypt” to “just use openSSL” to see why it’s better to spread knowledge than dogma.
The most widely cited “just use bcrypt” article (by codahale) does a very good job of explaining exactly why. This “don’t think” meme is a strawman. Who exactly is spreading dogma and not knowledge?
I don’t think most programmers have the ability to safely evaluate why they should use scrypt or PBKDF2 instead of bcrypt. And I’d imagine even fewer can recognize how to replace OpenSSL with GnuTLS or NSS without blowing everything up. (LibreSSL has done gods work here)
Sometimes it’s better to teach people to use safe, conservative defaults and not stray too far off the path. I don’t know if I agree that’s spreading dogma.
I think I’m beginning to understand why there are 118330 npm modules.
That is some hardcore NIH going on. Why doesn’t anyone like using anyone else’s stuff?
If you look at the modules that return when searching.. the vast majority of them are either directly dependent on the bcrypt module or have submodules that are. There is definitely duplication going on, but it isn’t as bad as the results of a search imply. The search results include multiple fields (tags, descriptions, dependencies.. etc) that match “bcrypt”, which could include things like: “why use bcrypt when you can use scrypt!?”
Also, what is NIH? :D
And you call yourself an OpenBSD developer! NIH
I liked: Other projects use a variety of tools for this, but unfortunately none of them were invented here.
http://www.tedunangst.com/flak/post/signify
(FTA, emphasis mine)
I’ve seen this “don’t just use bcrypt” meme elsewhere and I really don’t understand where it’s coming from. Contrarianism? The same NIH virus that has evidently infected node.js?
If there’s one thing we should try to bang into programmers' brains, it’s that they should use a good KDF - and bcrypt is in every crypt I can think of, is plenty secure[1], and just plain works. I’d much rather have someone say “just use bcrypt” than “just use a salt and md5”.
[1] I know Percival’s scrypt paper is over a decade old, but it’s still indicative of the costs to break bcrypt… just bump up the cost if anything.
I read that as “stop telling people not to think”. Change “just use bcrypt” to “just use openSSL” to see why it’s better to spread knowledge than dogma.
The most widely cited “just use bcrypt” article (by codahale) does a very good job of explaining exactly why. This “don’t think” meme is a strawman. Who exactly is spreading dogma and not knowledge?
Me.
MOO HOO HAH HAH
I don’t think most programmers have the ability to safely evaluate why they should use scrypt or PBKDF2 instead of bcrypt. And I’d imagine even fewer can recognize how to replace OpenSSL with GnuTLS or NSS without blowing everything up. (LibreSSL has done gods work here)
Sometimes it’s better to teach people to use safe, conservative defaults and not stray too far off the path. I don’t know if I agree that’s spreading dogma.
People want curation, but are unwilling to pay for it. Which leads to advertising, which leads to conflicts of interest, and the cycle repeats.