Ted

Ted

SQL Antipatterns, Volume 1, B5: encourage password-specific hashing algorithms as the first choice (chapter 20)

Hi Bill.

I’m glad to see you cover a lot of important topics about dealing with passwords in Chapter 20, “Readable Passwords”.

However, I have to admit I was a bit crestfallen to see that password-specific hashing algorithms, e.g. Argon2, PBKDF2, and Bcrypt, only receive a passing mention in the very last paragraph of the chapter, and only then with the qualifier of “if you need to develop very secure systems, you should move on to more advanced techniques…”

I propose that the chapter encourage readers to consider password-specific hashing algorithms as their first choice, and only then fall back to rolling their own with SHA + salt if circumstances dictate. In my experience, using a dedicated package such as bcrypt is less intimidating, less likely to screw up, is better documented, and results in less code.

OWASP’s Password Storage Cheat Sheet provides a lot more detail and justification for why password-specific hashing algorithms should be the first choice for any system tasked with storing passwords:

Also, regarding security, perhaps the “password reset” email examples on pages 235-6 can be updated to use “https” instead of “http” in the links.

Thanks again, Bill. I think all your hard work in creating a new edition of the book will greatly benefit the industry.

Marked As Solved

billkarwin

billkarwin

Author of SQL Antipatterns, Volume 1

Thanks Ted! I’m only able to do minor edits at this point, because we’re finishing up and going to production very soon. I agree with you about making a stronger recommendation for modern cryptographic hash algorithms.

I can’t make a major rewrite now, and ultimately it’s a book about SQL, not cryptography. But I’ve edit to make the recommended practice more clear :

“The techniques in this chapter are still relevant regardless of the type of cryptographic hash algorithm you use, but you should use the current recommended algorithms such as the following:”

Then I followed the list of algorithms with:

“The above list will eventually become outdated too. If you’re responsible for implementing an authentication system, then you should keep yourself up to date on the latest standards of cryptography.”

I’ve fixed the https references in the example URLs. Ironically, the link to the bcrypt source doesn’t support https!

Also Liked

billkarwin

billkarwin

Author of SQL Antipatterns, Volume 1

Normally I don’t like to use Wikipedia links, because some folks have issues with the fact that it’s a tertiary source. But I already broke that rule the other day because I found anchormodeling.com is flaky and was intermittently not responding. So I linked to the Wikipedia article on Anchor Modeling instead. So I’ve fixed the link to Bcrypt to use its Wikipedia article too.

Ted

Ted

Thanks, and I understand the reticence towards referencing Wikipedia.

I looked around for a more direct source before making the suggestion but I didn’t find anything else that quickly got to the point and listed implementations in various languages / environments.

Much like the Anchor Modeling situation, I think it’s the pragmatic choice in this limited circumstance.

Thanks again and congrats on going to print production!

Where Next?

Popular Pragmatic Bookshelf topics Top

ianwillie
Hello Brian, I have some problems with running the code in your book. I like the style of the book very much and I have learnt a lot as...
New
mikecargal
Title: Hands-On Rust (Chap 8 (Adding a Heads Up Display) It looks like ​.with_simple_console_no_bg​(SCREEN_WIDTH*2, SCREEN_HEIGHT*2...
New
jeremyhuiskamp
Title: Web Development with Clojure, Third Edition, vB17.0 (p9) The create table guestbook syntax suggested doesn’t seem to be accepted ...
New
gilesdotcodes
In case this helps anyone, I’ve had issues setting up the rails source code. Here were the solutions: In Gemfile, change gem 'rails' t...
New
leba0495
Hello! Thanks for the great book. I was attempting the Trie (chap 17) exercises and for number 4 the solution provided for the autocorre...
New
jwandekoken
Book: Programming Phoenix LiveView, page 142 (157/378), file lib/pento_web/live/product_live/form_component.ex, in the function below: d...
New
a.zampa
@mfazio23 I’m following the indications of the book and arriver ad chapter 10, but the app cannot be compiled due to an error in the Bas...
New
gorkaio
root_layout: {PentoWeb.LayoutView, :root}, This results in the following following error: no “root” html template defined for PentoWeb...
New
davetron5000
Hello faithful readers! If you have tried to follow along in the book, you are asked to start up the dev environment via dx/build and ar...
New
SlowburnAZ
Getting an error when installing the dependencies at the start of this chapter: could not compile dependency :exla, "mix compile" failed...
New

Other popular topics Top

axelson
I’ve been really enjoying obsidian.md: It is very snappy (even though it is based on Electron). I love that it is all local by defaul...
New
AstonJ
There’s a whole world of custom keycaps out there that I didn’t know existed! Check out all of our Keycaps threads here: https://forum....
New
AstonJ
Just done a fresh install of macOS Big Sur and on installing Erlang I am getting: asdf install erlang 23.1.2 Configure failed. checking ...
New
AstonJ
In case anyone else is wondering why Ruby 3 doesn’t show when you do asdf list-all ruby :man_facepalming: do this first: asdf plugin-upd...
New
PragmaticBookshelf
Build highly interactive applications without ever leaving Elixir, the way the experts do. Let LiveView take care of performance, scalabi...
New
AstonJ
Continuing the discussion from Thinking about learning Crystal, let’s discuss - I was wondering which languages don’t GC - maybe we can c...
New
Margaret
Hello everyone! This thread is to tell you about what authors from The Pragmatic Bookshelf are writing on Medium.
1143 25883 760
New
AstonJ
Saw this on TikTok of all places! :lol: Anyone heard of them before? Lite:
New
First poster: bot
The overengineered Solution to my Pigeon Problem. TL;DR: I built a wifi-equipped water gun to shoot the pigeons on my balcony, controlle...
New
AstonJ
Curious what kind of results others are getting, I think actually prefer the 7B model to the 32B model, not only is it faster but the qua...
New

Sub Categories: