The Hash Challenge

January 8, 2015

The facebook discussion about my previous blogpost went off-topic and resulted in an interesting challenge. One of the commenters (Stilgar) was not convinced that passwords hashed with MD5 (or SHA) are so easy to crack if there is salt. So he posted a challenge: “I’ll post the hash of a “password” which is going to […]


Verifying Secure Password Storage Externally

February 25, 2014

Many websites (including big ones like Adobe, Yahoo, LinkedIn, Gawker, etc.) store user passwords insecurely. Either in plain text, or encrypted (reversible), or using a broken or brute-forceable hash function. Many websites continue to be built with poor password storage mechanism. So what? Well, if the database leaks somehow (and it obviously happens, see the […]


Login Tokens In Email Links

April 26, 2013

Your system is probably sending some emails. Sometimes these emails contain links to the public part of the site, sometimes they have links to the authentication-protected part. Either way, if the email is sent to registered users (as opposed to just subscribed emails) you should not make the user type in username and password. Even […]


A Guide To Authenticating Users With Mozilla Persona

December 1, 2012

Having only twitter and facebook authentication so far, I decided to add Mozilla Persona to the list for my latest project (computoser, computer-generated music). Why? I like trying new things Storing passwords is a tough process, and even though I know how to do it, and even have most of the code written in another […]


Bcrypt. It’s The Bare Minimum.

August 23, 2012

The other day I read this Arstechnica article and realized how tragic the situation is. And it is not this bad because of the evil hackers. It’s bad because few people know how to handle one very common thing: authentication (signup and login). But it seems even cool companies like LinkedIn and Yahoo do it […]


We Don’t Need No Password Strength Checker

October 31, 2010

Password strength checkers appear from time to time on web registration forms. But in my opinion they are useless. I’ll justify. Jeff Atwood lists the possible ways to obtain one’s password: phishing – password strength indicators can’t help with this at all. We can only rely on browsers to warn users in time, and that […]