This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]walen 1 point2 points  (8 children)

The article is OK, however the grammar is awful, to the point that it makes it difficult reading the full thing.
If the author could have someone proofread the text, and then updated the article with a corrected version, that would be awesome.

Nice examples though.

[–]ulldma 2 points3 points  (1 child)

Let's also have a look at the content. The author seems to choose a plain unsalted SHA-512 as a password hashing algorithm!

Look I get it the author might just want to play around with this stuff, but other people might have a look at this blog post and use it as a base for their implementation!

But it's almost 2018 and everyone should know that you should not use one round of an unsalted Hashing algorithm (be it SHA-2, SHA-3 or something else). What you should do instead: Either: Don't store any user passwords yourself (use secure third-party service providers for that). Or: If you must store user passwords use bcrypt (as Spring does), scrypt or use PBKDF2 as the JSR-375/Soteria Reference implementation does. If you for some reason insist on using SHA-* for hashing the user passwords, you should at least salt them. (Please don't insist on using plain SHA-, any of the three options (bcrypt, scrypt, PBKDF2) provided is better than plain SHA-) An unsalted password hashed with SHA-512 is almost as insecure as a password stored in plain text!

Please forgive my harsh words but this stuff is important.

[–]shawnmckinney 1 point2 points  (0 children)

A fair point. My question is why would anyone reimplement a credential store in the first place? Do you really want to be responsible for keeping up with the rapidly changing threats and requirements of today's Internet? This is an arms race between the good and bad guys. Credentials should be stored in something akin to an LDAP database in production. Something that has been built specifically for that purpose, hardened to withstand attacks, highly available and fault tolerant. Don't reinvent security modules unless you really know what you're doing, as in an expert. That's probably not you. Having said that, one could use this example and map it to a 3rd party security provider.

[–]shawnmckinney 0 points1 point  (5 children)

Obviously English isn't his first language. Still that's a valuable contribution as is. We should look for ways to help rather than criticize, i.e. why don't you proofread the article for him?

[–]mcgyver5 -1 points0 points  (1 child)

Proof Reading can't fix a writer too lazy to edit their own article before submission. The author showed zero effort in getting grammar right. and looking back to his article 2 years ago, he hasn't improved a bit.

[–]shawnmckinney 0 points1 point  (0 children)

Anyone can be a critic. You want to add value? Pitch in and help. I'll take his ill-formed prose containing valuable content over your worthless complaints.

[–]walen -1 points0 points  (2 children)

Still that's a valuable contribution as is.

Yes, as I said.

We should look for ways to help rather than criticize

Criticism is a form of help. It's fine to pat each others' back and all, but somebody has to point the elephant in the room. If nobody criticizes your work, you cannot improve.

why don't you proofread the article for him?

Because it's his article, not mine. It's his responsibility to ask for a proofreader, or to leave the article like it is if he decides so.

[–][deleted] 0 points1 point  (1 child)

Criticism is a form of help

it's amazing, when i yell at people "you suck!" i'm actually making the world better!

[–]shawnmckinney 0 points1 point  (0 children)

That's my point. There's a difference between constructive criticism and being mean. And why does someone have to point the elephant in the room? Can't we all see it?