1. 15

  2. 7

    While the body of the article is correct, the title of the article will be misused as an argument against using KDFs by people who haven’t read the article, since the KDF will salt and hash your passwords.

    1. 2

      I agree the blog title is misleading, but how do you use a title of an article in an argument? I think the danger is that someone will see the title, not read the article and stop salting and hashing passwords I think that’s unlikely though, because what would they do instead? Store a password in plain text because they saw a blog title?

      1. 2

        I’m imagining this conversation:

        Les: Hey, we’ve been storing our passwords in plain text in our database. That’s bad. We should use bcrypt instead, because I’ve heard it’s more secure.
        Chris (defensively): Well, what we have now works. What does bcrypt do?
        Les: It salts and hashes the passwords so that even if an attacker steals a copy of the password database it’s okay, somehow. I don’t really understand.
        Kit: But everyone knows that if you’re salting and hashing your passwords, you’re doing it wrong.
        Les: You are? I thought that was the best practice.
        Chris (vaguely remembering): No, it’s a bad practice. How’s that feature you were going to deliver today coming along?

        Maybe this sounds implausible to you, but I’ve worked at jobs where I’ve been told, “Curiosity on the job just gets you into trouble,” “Assert statements are a bad practice because it’s bad when your code makes assumptions,” and “Don’t tell client SMEs that we should delete their unused code.” (Instead, we modified the unused and non-working code in parallel with our other changes.)

        1. 1

          These people shouldn’t be writing any kind of software ever.

          1. 1

            You were one of these people when you first started programming. Maybe for three months, or six months, or a year. If it wasn’t longer, you were lucky. I was stuck at that level of incompetence for fifteen years.

          2. 1

            Tell them bcrypt salts and slow hashes the password.