Ted

Ted

SQL Antipatterns, Volume 1, B5: encourage password-specific hashing algorithms as the first choice (chapter 20)

Hi Bill.

I’m glad to see you cover a lot of important topics about dealing with passwords in Chapter 20, “Readable Passwords”.

However, I have to admit I was a bit crestfallen to see that password-specific hashing algorithms, e.g. Argon2, PBKDF2, and Bcrypt, only receive a passing mention in the very last paragraph of the chapter, and only then with the qualifier of “if you need to develop very secure systems, you should move on to more advanced techniques…”

I propose that the chapter encourage readers to consider password-specific hashing algorithms as their first choice, and only then fall back to rolling their own with SHA + salt if circumstances dictate. In my experience, using a dedicated package such as bcrypt is less intimidating, less likely to screw up, is better documented, and results in less code.

OWASP’s Password Storage Cheat Sheet provides a lot more detail and justification for why password-specific hashing algorithms should be the first choice for any system tasked with storing passwords:

Also, regarding security, perhaps the “password reset” email examples on pages 235-6 can be updated to use “https” instead of “http” in the links.

Thanks again, Bill. I think all your hard work in creating a new edition of the book will greatly benefit the industry.

Marked As Solved

billkarwin

billkarwin

Author of SQL Antipatterns, Volume 1

Thanks Ted! I’m only able to do minor edits at this point, because we’re finishing up and going to production very soon. I agree with you about making a stronger recommendation for modern cryptographic hash algorithms.

I can’t make a major rewrite now, and ultimately it’s a book about SQL, not cryptography. But I’ve edit to make the recommended practice more clear :

“The techniques in this chapter are still relevant regardless of the type of cryptographic hash algorithm you use, but you should use the current recommended algorithms such as the following:”

Then I followed the list of algorithms with:

“The above list will eventually become outdated too. If you’re responsible for implementing an authentication system, then you should keep yourself up to date on the latest standards of cryptography.”

I’ve fixed the https references in the example URLs. Ironically, the link to the bcrypt source doesn’t support https!

Also Liked

billkarwin

billkarwin

Author of SQL Antipatterns, Volume 1

Normally I don’t like to use Wikipedia links, because some folks have issues with the fact that it’s a tertiary source. But I already broke that rule the other day because I found anchormodeling.com is flaky and was intermittently not responding. So I linked to the Wikipedia article on Anchor Modeling instead. So I’ve fixed the link to Bcrypt to use its Wikipedia article too.

Ted

Ted

Thanks, and I understand the reticence towards referencing Wikipedia.

I looked around for a more direct source before making the suggestion but I didn’t find anything else that quickly got to the point and listed implementations in various languages / environments.

Much like the Anchor Modeling situation, I think it’s the pragmatic choice in this limited circumstance.

Thanks again and congrats on going to print production!

Where Next?

Popular Pragmatic Bookshelf topics Top

iPaul
page 37 ANTLRInputStream input = new ANTLRInputStream(is); as of ANTLR 4 .8 should be: CharStream stream = CharStreams.fromStream(i...
New
telemachus
Python Testing With Pytest - Chapter 2, warnings for “unregistered custom marks” While running the smoke tests in Chapter 2, I get these...
New
herminiotorres
Hi @Margaret , On page VII the book tells us the example and snippets will be all using Elixir version 1.11 But on page 3 almost the en...
New
joepstender
The generated iex result below should list products instead of product for the metadata. (page 67) iex> product = %Product{} %Pento....
New
gilesdotcodes
In case this helps anyone, I’ve had issues setting up the rails source code. Here were the solutions: In Gemfile, change gem 'rails' t...
New
adamwoolhether
When trying to generate the protobuf .go file, I receive this error: Unknown flag: --go_opt libprotoc 3.12.3 MacOS 11.3.1 Googling ...
New
brunogirin
When running tox for the first time, I got the following error: ERROR: InterpreterNotFound: python3.10 I realised that I was running ...
New
adamwoolhether
Is there any place where we can discuss the solutions to some of the exercises? I can figure most of them out, but am having trouble with...
New
taguniversalmachine
It seems the second code snippet is missing the code to set the current_user: current_user: Accounts.get_user_by_session_token(session["...
New
tkhobbes
After some hassle, I was able to finally run bin/setup, now I have started the rails server but I get this error message right when I vis...
New

Other popular topics Top

ohm
Which, if any, games do you play? On what platform? I just bought (and completed) Minecraft Dungeons for my Nintendo Switch. Other than ...
New
wolf4earth
@AstonJ prompted me to open this topic after I mentioned in the lockdown thread how I started to do a lot more for my fitness. https://f...
New
dasdom
No chair. I have a standing desk. This post was split into a dedicated thread from our thread about chairs :slight_smile:
New
AstonJ
You might be thinking we should just ask who’s not using VSCode :joy: however there are some new additions in the space that might give V...
New
Rainer
My first contact with Erlang was about 2 years ago when I used RabbitMQ, which is written in Erlang, for my job. This made me curious and...
New
AstonJ
Was just curious to see if any were around, found this one: I got 51/100: Not sure if it was meant to buy I am sure at times the b...
New
Help
I am trying to crate a game for the Nintendo switch, I wanted to use Java as I am comfortable with that programming language. Can you use...
New
PragmaticBookshelf
Programming Ruby is the most complete book on Ruby, covering both the language itself and the standard library as well as commonly used t...
New
PragmaticBookshelf
Fight complexity and reclaim the original spirit of agility by learning to simplify how you develop software. The result: a more humane a...
New
mindriot
Ok, well here are some thoughts and opinions on some of the ergonomic keyboards I have, I guess like mini review of each that I use enoug...
New

Sub Categories: