[Cryptography] Why don't we protect passwords properly?
ianG
iang at iang.org
Sun Dec 22 01:28:59 EST 2013
On 22/12/13 02:07 AM, Patrick Mylund Nielsen wrote:
> On Fri, Dec 20, 2013 at 11:00 PM, Bill Cox <waywardgeek at gmail.com
> Scrypt, used by FreeCoin, shows how to do truly effective key
> stretching,
>
>
> I'm really positively surprised to read this sentence. I would have
> never expected cryptocurrencies to be a reason people started talking
> about using expensive KDFs for something like password authentication.
It's money. They are serious. Bitcoin is the cutting edge for what
really matters in crypto -- money.
...
> There are people who really should know better: IETF WG members,
Why do you think they should know any better? Just curious...
This is like the old von Mises fallacy of government regulation. He
asked why it is that people think that the government knows more about
the market than those in the market? When you analyse what happens in
the real world, all the signs point to the opposite: if people knew
more about the market than the players, then they would be in the market
making money. The reason they join the government is more likely that
they know too little to be in the market.
What's that old saw about teachers?
> Unfortunately, there are many programmers that share your attitude that
> crypto is way cool, but *don't* spend anywhere near enough time actually
> studying it before making the next big privacy-preserving social
> application with "military-grade AES 256-bit security." If they did, I
> think we'd see a lot more scrypt, bcrypt, PBKDF2, SRP, etc., and much
> fewer homegrown, ineffective contraptions.
Knowledge is more like a pyramid than a set of wings. We need a big and
broad base in order to build towards the sun.
iang
More information about the cryptography
mailing list