AES for Password Hashing
Following a G+ discussion with Nikodemus Siivola, in which he recommended using bcrypt instead of a hash function for encoding passwords, I updated Lisplog to use AES, since I didn't have bcrypt handy. AES doesn't have the tuning parameters to make encryption take longer, as bcrypt does, but I figure it's at least slower than a simple hash, so it should help.
I initially used a simple MD5 hash, copying the Drupal mechanism so that I could just copy my Drupal data. I have not yet updated this blog with the new code. Soon.
On further thought
On further thought, I'm not going to bother making my password hashes really secure. I don't expect them to be compromised anyway (famous last words). I DID change the code to hash the AES output, so that it's a uniform length, not revealing the actual length of the user password.
Previous Posts:
The Most Dangerous Word in the World
An Efficient and Practical Distributed Currency
Quote
Mass Murder Is the Problem
A Letter to the Norwegian Government following the Oslo Terrorist Attacks
Virgil's Zero Root Beer
The Coming Hyperinflation
A Servant of Their Rights
Responsibilities of a resident of the police state, part IV
Quote
Turns out this is completely
Turns out this is completely misguided. The thing that makes bcrypt useful for hashing passwords is its string-to-key (S2K) mechanism, which salts and then hashes thousands of times. The encryption part hardly matters. Will fix.
Edit comment