AES for Password Hashing

Submitted by Bill St. Clair on Wed, 27 Jul 2011 13:54:27 GMT <== Lisplog ==>

Following a G+ discussion with Nikodemus Siivola, in which he recommended using bcrypt instead of a hash function for encoding passwords, I updated Lisplog to use AES, since I didn't have bcrypt handy. AES doesn't have the tuning parameters to make encryption take longer, as bcrypt does, but I figure it's at least slower than a simple hash, so it should help.

I initially used a simple MD5 hash, copying the Drupal mechanism so that I could just copy my Drupal data. I have not yet updated this blog with the new code. Soon.

Add comment Edit post Add post

Comments (2):

Turns out this is completely

Submitted by Bill St. Clair on Wed, 27 Jul 2011 21:45:22 GMT

Turns out this is completely misguided. The thing that makes bcrypt useful for hashing passwords is its string-to-key (S2K) mechanism, which salts and then hashes thousands of times. The encryption part hardly matters. Will fix.

Edit comment

On further thought

Submitted by Bill St. Clair on Thu, 28 Jul 2011 06:55:56 GMT

On further thought, I'm not going to bother making my password hashes really secure. I don't expect them to be compromised anyway (famous last words). I DID change the code to hash the AES output, so that it's a uniform length, not revealing the actual length of the user password.

Edit comment

Add comment Edit post Add post

Previous Posts:
The Most Dangerous Word in the World
An Efficient and Practical Distributed Currency
Quote
Mass Murder Is the Problem
A Letter to the Norwegian Government following the Oslo Terrorist Attacks
Virgil's Zero Root Beer
The Coming Hyperinflation
A Servant of Their Rights
Responsibilities of a resident of the police state, part IV
Quote

Navigation

History

Quotes

Government doesn't work. Never did. Never will. Can't. But there are lots of good people. Love them.

-- Bill St. Clair

The Atlanta Declaration

Every man, woman, and responsible child has an unalienable individual, civil, Constitutional, and human right to obtain, own, and carry, openly or concealed, any weapon -- rifle, shotgun, handgun, machinegun, anything -- any time, any place, without asking anyone's permission.

-- L. Neil Smith

Reread that pesky first clause of the Second Amendment. It doesn't say what any of us thought it said. What it says is that infringing the right of the people to keep and bear arms is treason. What else do you call an act that endangers "the security of a free state"? And if it's treason, then it's punishable by death. I suggest due process, speedy trials, and public hangings.

-- L. Neil Smith

A Penalty Clause for the Bill of Rights

Any official, appointed or elected, at any level of government, who attempts, through legislative act or other means, to nullify, evade, or avoid the provisions of the first ten amendments to this Constitution, or of the Thirteenth Amendment, shall be summarily removed from office, and, upon conviction, deprived of all pay and benefits including pension, and sentenced to imprisonment for life.

-- L. Neil Smith

Based on 253 journal articles, 99 books, 43 government publications, and some of its own empirical work, the panel couldn't identify a single gun control regulation that reduced violent crime, suicide or accidents.

-- John Lott, commenting on the National Academy of Sciences report on gun control laws.

Who is a libertarian?

Zero Aggression Principle ("Zap")

"A libertarian is a person who believes that no one has the right, under any circumstances, to initiate force against another human being, or to advocate or delegate its initiation. Those who act consistently with this principle are libertarians, whether they realize it or not. Those who fail to act consistently with it are not libertarians, regardless of what they may claim."

-- L. Neil Smith

(Formerly called the "Non-Aggression Principle", or "NAP")

Why Did It Have to be... Guns?

Make no mistake: all politicians -- even those ostensibly on the side of guns and gun ownership -- hate the issue and anyone, like me, who insists on bringing it up. They hate it because it's an X-ray machine. It's a Vulcan mind-meld. It's the ultimate test to which any politician -- or political philosophy -- can be put.

If a politician isn't perfectly comfortable with the idea of his average constituent, any man, woman, or responsible child, walking into a hardware store and paying cash -- for any rifle, shotgun, handgun, machinegun, anything -- without producing ID or signing one scrap of paper, he isn't your friend no matter what he tells you.

If he isn't genuinely enthusiastic about his average constituent stuffing that weapon into a purse or pocket or tucking it under a coat and walking home without asking anybody's permission, he's a four-flusher, no matter what he claims.

What his attitude -- toward your ownership and use of weapons -- conveys is his real attitude about you. And if he doesn't trust you, then why in the name of John Moses Browning should you trust him?

-- L. Neil Smith

Concise

"Tell me," I was once asked, "What do you think about gun control? Give me the short answer." To which I replied, "If you try to take our firearms we will kill you."

-- Mike Vanderboegh

Also from The Atlanta Declaration:

... like going to the bathroom, breathing, eating, sleeping, or making love, it turns out that self-defense is a bodily function one cannot safely or effectively delegate to a second party.

-- L. Neil Smith

This does not mean that "Marijuana should be available by prescription." It means that morphine sulfate should be available in five pound bags at the supermarket for a couple of bucks, like sugar... but probably in a different aisle, to avoid confusion.

-- Vin Suprynowicz

If you refuse to pay unjust taxes, your property will be confiscated. If you attempt to defend your property, you will be arrested. If you resist arrest, you will be clubbed. If you defend yourself against clubbing, you will be shot dead. These procedures are known as the Rule of Law.

-- Edward Abbey

The state can only survive as long as a majority is programmed to believe that theft isn't wrong if it's called taxation or asset forfeiture or eminent domain, that assault and kidnapping isn't wrong if it's called arrest, that mass murder isn't wrong if it's called war.

-- Bill St. Clair