Ted

Ted

SQL Antipatterns, Volume 1, B5: encourage password-specific hashing algorithms as the first choice (chapter 20)

Hi Bill.

I’m glad to see you cover a lot of important topics about dealing with passwords in Chapter 20, “Readable Passwords”.

However, I have to admit I was a bit crestfallen to see that password-specific hashing algorithms, e.g. Argon2, PBKDF2, and Bcrypt, only receive a passing mention in the very last paragraph of the chapter, and only then with the qualifier of “if you need to develop very secure systems, you should move on to more advanced techniques…”

I propose that the chapter encourage readers to consider password-specific hashing algorithms as their first choice, and only then fall back to rolling their own with SHA + salt if circumstances dictate. In my experience, using a dedicated package such as bcrypt is less intimidating, less likely to screw up, is better documented, and results in less code.

OWASP’s Password Storage Cheat Sheet provides a lot more detail and justification for why password-specific hashing algorithms should be the first choice for any system tasked with storing passwords:

Also, regarding security, perhaps the “password reset” email examples on pages 235-6 can be updated to use “https” instead of “http” in the links.

Thanks again, Bill. I think all your hard work in creating a new edition of the book will greatly benefit the industry.

Marked As Solved

billkarwin

billkarwin

Author of SQL Antipatterns, Volume 1

Thanks Ted! I’m only able to do minor edits at this point, because we’re finishing up and going to production very soon. I agree with you about making a stronger recommendation for modern cryptographic hash algorithms.

I can’t make a major rewrite now, and ultimately it’s a book about SQL, not cryptography. But I’ve edit to make the recommended practice more clear :

“The techniques in this chapter are still relevant regardless of the type of cryptographic hash algorithm you use, but you should use the current recommended algorithms such as the following:”

Then I followed the list of algorithms with:

“The above list will eventually become outdated too. If you’re responsible for implementing an authentication system, then you should keep yourself up to date on the latest standards of cryptography.”

I’ve fixed the https references in the example URLs. Ironically, the link to the bcrypt source doesn’t support https!

Also Liked

billkarwin

billkarwin

Author of SQL Antipatterns, Volume 1

Normally I don’t like to use Wikipedia links, because some folks have issues with the fact that it’s a tertiary source. But I already broke that rule the other day because I found anchormodeling.com is flaky and was intermittently not responding. So I linked to the Wikipedia article on Anchor Modeling instead. So I’ve fixed the link to Bcrypt to use its Wikipedia article too.

Ted

Ted

Thanks, and I understand the reticence towards referencing Wikipedia.

I looked around for a more direct source before making the suggestion but I didn’t find anything else that quickly got to the point and listed implementations in various languages / environments.

Much like the Anchor Modeling situation, I think it’s the pragmatic choice in this limited circumstance.

Thanks again and congrats on going to print production!

Where Next?

Popular Pragmatic Bookshelf topics Top

abtin
page 20: … protoc command… I had to additionally run the following go get commands in order to be able to compile protobuf code using go...
New
sdmoralesma
Title: Web Development with Clojure, Third Edition - migrations/create not working: p159 When I execute the command: user=> (create-...
New
mikecargal
Title: Hands-On Rust (Chapter 11: prefab) Just played a couple of amulet-less games. With a bit of debugging, I believe that your can_p...
New
mikecargal
Title: Hands-on Rust: question about get_component (page 295) (feel free to respond. “You dug you’re own hole… good luck”) I have somet...
New
JohnS
I can’t setup the Rails source code. This happens in a working directory containing multiple (postgres) Rails apps. With: ruby-3.0.0 s...
New
raul
Page 28: It implements io.ReaderAt on the store type. Sorry if it’s a dumb question but was the io.ReaderAt supposed to be io.ReadAt? ...
New
jgchristopher
“The ProductLive.Index template calls a helper function, live_component/3, that in turn calls on the modal component. ” Excerpt From: Br...
New
New
dachristenson
I just bought this book to learn about Android development, and I’m already running into a major issue in Ch. 1, p. 20: “Update activity...
New
dachristenson
@mfazio23 Android Studio will not accept anything I do when trying to use the Transformations class, as described on pp. 140-141. Googl...
New

Other popular topics Top

siddhant3030
I’m thinking of buying a monitor that I can rotate to use as a vertical monitor? Also, I want to know if someone is using it for program...
New
Rainer
My first contact with Erlang was about 2 years ago when I used RabbitMQ, which is written in Erlang, for my job. This made me curious and...
New
New
Exadra37
Oh just spent so much time on this to discover now that RancherOS is in end of life but Rancher is refusing to mark the Github repo as su...
New
Margaret
Hello everyone! This thread is to tell you about what authors from The Pragmatic Bookshelf are writing on Medium.
1147 28379 760
New
mafinar
This is going to be a long an frequently posted thread. While talking to a friend of mine who has taken data structure and algorithm cou...
New
AstonJ
If you get Can't find emacs in your PATH when trying to install Doom Emacs on your Mac you… just… need to install Emacs first! :lol: bre...
New
PragmaticBookshelf
Author Spotlight Jamis Buck @jamis This month, we have the pleasure of spotlighting author Jamis Buck, who has written Mazes for Prog...
New
husaindevelop
Inside our android webview app, we are trying to paste the copied content from another app eg (notes) using navigator.clipboard.readtext ...
New
PragmaticBookshelf
Author Spotlight: Peter Ullrich @PJUllrich Data is at the core of every business, but it is useless if nobody can access and analyze ...
New

Sub Categories: