This is Tdibble's Typepad Profile.
Join Typepad and start following Tdibble's activity
Join Now!
Already a member? Sign In
Tdibble
Recent Activity
@Nishith Prabhakar: "How does one know if the site is safe (storing a salted hash) and not a gawker?" The most reliable indication is if they let you "retrieve" your password or if they only allow you to reset it. Most f the time passwords are stored reversibly so they can send them out to users who forget them. Of course, I'm fairly certain Gawker didn't allow password retrieval either. They were the special kind of incompetent that didn't have a requirement for password retrieval yet stored them insecurely anyway. @Adam Rosenfield (and others): "Gawker did NOT store passwords. You are flat-out wrong there, Jeff. They stored the standard DES hashes of passwords as computed by crypt($password, "xy"), where "xy" is a random two-character salt (http://php.net/manual/en/function.crypt.php)." DES is reversible encryption. Yes, 'crypt' uses the password as the seed rather than as the encrypted value, so there are theoretically multiple possible decryptions for each "hash", but the entropy there is incredibly low. Almost all of the Gawker password hashes have been reversed at this point. DES reversal is just a matter of time and computing cycles, then throw out the ones with characters the keyboard can't easily produce. That having been said: yes, if you are just going to brute-force, you can guess the passwords of the strength seen in Gawker's database just as easily had they been storing 5xMD5 hashes or similarly non-reversible storage approaches. No matter how well a site stores passwords, if your common password is "123456" or, apparently, "monkey" (???), it will get guessed and verified with such a database dump. What Gawker did was expose the guy who has the non-common brute-force-resistant password like "tiaucpw4ts" (this is an un-crackable password 4 this site). That guy's doing everything "right", but if he went to the trouble to do things "right" with that password he is probably using it on more than one site; Gawker just gave away that password everywhere.
Toggle Commented Dec 19, 2010 on The Dirty Truth About Web Passwords at Coding Horror
Speed of iteration -- the Google Chrome project has it. 1.0 December 11, 2008 2.0 May 24, 2009 3.0 October 12, 2009 4.0 January 25, 2010 5.0 May 25, 2010 6.0 September 2, 2010 I'd call that "speed of version number inflation" more than speed of iteration. The current build is hardly akin to a 2.0 release. Still impressive, but calling it "6.0" implies 6 major design variations, and IMHO does the project a major disservice. They have stayed the same course the whole time, and have a good product to show for it. In any case, yeah, fast iterations are important when your customer base is geeks of the world. They understand and overlook imperfections. I don't think you're as right about Android/iPhone though. Google is making significant progress there, but they are also accruing some significant technical debt and their triple user bases (carriers, manufacturers, then customers) keep them from servicing that debt at any manageable rate. They will need to "turn" soon, and momentum has a funny way of upending vehicles which turn too quickly.
Toggle Commented Sep 13, 2010 on Go That Way, Really Fast at Coding Horror
Tdibble is now following The Typepad Team
Dec 3, 2009