Ted

Ted

SQL Antipatterns, Volume 1, B5: encourage password-specific hashing algorithms as the first choice (chapter 20)

Hi Bill.

I’m glad to see you cover a lot of important topics about dealing with passwords in Chapter 20, “Readable Passwords”.

However, I have to admit I was a bit crestfallen to see that password-specific hashing algorithms, e.g. Argon2, PBKDF2, and Bcrypt, only receive a passing mention in the very last paragraph of the chapter, and only then with the qualifier of “if you need to develop very secure systems, you should move on to more advanced techniques…”

I propose that the chapter encourage readers to consider password-specific hashing algorithms as their first choice, and only then fall back to rolling their own with SHA + salt if circumstances dictate. In my experience, using a dedicated package such as bcrypt is less intimidating, less likely to screw up, is better documented, and results in less code.

OWASP’s Password Storage Cheat Sheet provides a lot more detail and justification for why password-specific hashing algorithms should be the first choice for any system tasked with storing passwords:

Also, regarding security, perhaps the “password reset” email examples on pages 235-6 can be updated to use “https” instead of “http” in the links.

Thanks again, Bill. I think all your hard work in creating a new edition of the book will greatly benefit the industry.

Marked As Solved

billkarwin

billkarwin

Author of SQL Antipatterns, Volume 1

Thanks Ted! I’m only able to do minor edits at this point, because we’re finishing up and going to production very soon. I agree with you about making a stronger recommendation for modern cryptographic hash algorithms.

I can’t make a major rewrite now, and ultimately it’s a book about SQL, not cryptography. But I’ve edit to make the recommended practice more clear :

“The techniques in this chapter are still relevant regardless of the type of cryptographic hash algorithm you use, but you should use the current recommended algorithms such as the following:”

Then I followed the list of algorithms with:

“The above list will eventually become outdated too. If you’re responsible for implementing an authentication system, then you should keep yourself up to date on the latest standards of cryptography.”

I’ve fixed the https references in the example URLs. Ironically, the link to the bcrypt source doesn’t support https!

Also Liked

billkarwin

billkarwin

Author of SQL Antipatterns, Volume 1

Normally I don’t like to use Wikipedia links, because some folks have issues with the fact that it’s a tertiary source. But I already broke that rule the other day because I found anchormodeling.com is flaky and was intermittently not responding. So I linked to the Wikipedia article on Anchor Modeling instead. So I’ve fixed the link to Bcrypt to use its Wikipedia article too.

Ted

Ted

Thanks, and I understand the reticence towards referencing Wikipedia.

I looked around for a more direct source before making the suggestion but I didn’t find anything else that quickly got to the point and listed implementations in various languages / environments.

Much like the Anchor Modeling situation, I think it’s the pragmatic choice in this limited circumstance.

Thanks again and congrats on going to print production!

Where Next?

Popular Pragmatic Bookshelf topics Top

ianwillie
Hello Brian, I have some problems with running the code in your book. I like the style of the book very much and I have learnt a lot as...
New
HarryDeveloper
Hi @venkats, It has been mentioned in the description of ‘Supervisory Job’ title that 2 things as mentioned below result in the same eff...
New
AleksandrKudashkin
On the page xv there is an instruction to run bin/setup from the main folder. I downloaded the source code today (12/03/21) and can’t see...
New
fynn
This is as much a suggestion as a question, as a note for others. Locally the SGP30 wasn’t available, so I ordered a SGP40. On page 53, ...
New
adamwoolhether
I’m not quite sure what’s going on here, but I’m unable to have to containers successfully complete the Readiness/Liveness checks. I’m im...
New
hazardco
On page 78 the following code appears: <%= link_to ‘Destroy’, product, class: ‘hover:underline’, method: :delete, data: { confirm...
New
AufHe
I’m a newbie to Rails 7 and have hit an issue with the bin/Dev script mentioned on pages 112-113. Iteration A1 - Seeing the list of prod...
New
taguniversalmachine
It seems the second code snippet is missing the code to set the current_user: current_user: Accounts.get_user_by_session_token(session["...
New
taguniversalmachine
Hi, I am getting an error I cannot figure out on my test. I have what I think is the exact code from the book, other than I changed “us...
New
jonmac
The allprojects block listed on page 245 produces the following error when syncing gradle: “org.gradle.api.GradleScriptException: A prob...
New

Other popular topics Top

ohm
Which, if any, games do you play? On what platform? I just bought (and completed) Minecraft Dungeons for my Nintendo Switch. Other than ...
New
AstonJ
Or looking forward to? :nerd_face:
483 11975 256
New
AstonJ
I’ve been hearing quite a lot of comments relating to the sound of a keyboard, with one of the most desirable of these called ‘thock’, he...
New
AstonJ
If you are experiencing Rails console using 100% CPU on your dev machine, then updating your development and test gems might fix the issu...
New
PragmaticBookshelf
Learn different ways of writing concurrent code in Elixir and increase your application's performance, without sacrificing scalability or...
New
PragmaticBookshelf
Build highly interactive applications without ever leaving Elixir, the way the experts do. Let LiveView take care of performance, scalabi...
New
gagan7995
API 4 Path: /user/following/ Method: GET Description: Returns the list of all names of people whom the user follows Response [ { ...
New
PragmaticBookshelf
Rails 7 completely redefines what it means to produce fantastic user experiences and provides a way to achieve all the benefits of single...
New
CommunityNews
A Brief Review of the Minisforum V3 AMD Tablet. Update: I have created an awesome-minisforum-v3 GitHub repository to list information fo...
New
PragmaticBookshelf
Explore the power of Ash Framework by modeling and building the domain for a real-world web application. Rebecca Le @sevenseacat and ...
New

Sub Categories: