This was too much not to share.
I was talking a company today that is using Password hashing to keep their user's passwords "safe". They were using Bcrypt. Given the performance hit that using Bcrypt has I was surprised how many users they were able to support on very few CPUs. "We have a Translation Table. Look ups are faster than calculating the hash, so we check the look up table before we calculate the hash that we are going to authenticate against." Pulling up the translation table gave the plain Text of every User and Password in their system. Along with all of the old usernames and passwords of those users. Apparently the idea was one the out sourced development company had "Deployed to hundreds if not thousands" of sites, and "it had never been a problem before". You can have the best locks on your doors, but if you leave the sliding glass window open they aren't doing you any good. Brandon Wirtz BlackWaterOps: President / Lead Mercenary Description: http://www.linkedin.com/img/signature/bg_slate_385x42.jpg Work: 510-992-6548 Toll Free: 866-400-4536 IM: [email protected] (Google Talk) Skype: drakegreene <http://www.blackwaterops.com/> BlackWater Ops -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
<<image001.jpg>>
