On 7/6/2014 9:49 AM, Kagamin wrote:
On Saturday, 5 July 2014 at 21:50:59 UTC, Nick Sabalausky wrote:
3. Too late anyway: See std.digest. Besides, if anything, std.digest
is arguably *worse* because (until 2.066) it only provides the worst
choices.
Slight correction: Apparently RIPEMD 160 and up are a lot better than I
thought. My mind automatically associated it with ~MD5, which I guess is
an inaccurate comparison.
std.random isn't much better. Granted, it doesn't claim to be
crypto-grade, but it doesn't clearly state that it *isn't* and that's
just as bad: People are going to to decide (incorrectly) they can use
it to generate salts or tokens or whatever, and they will do so. Heck,
*I've* even done it, and *I'm* someone who actually knows better.
The default PRNG is routinely used for salt generation :)
Granted, your library makes it easier to use good salts. Though, it
needs examples or tutorials, how to actually use the library correctly.
If this isn't good enough then I'm open to pull requests or more
specific suggestions:
https://github.com/abscissa/DAuth#typical-usage
Granted, the less typical (ie more heavily-customized) use-cases could
use some tutorials.
In the expected typical use-case, proper salt generation is completely
transparent to the lib's user.
