[Cryptography] Why don't we protect passwords properly?

[ianG]

On 22/12/13 02:07 AM, Patrick Mylund Nielsen wrote:
> On Fri, Dec 20, 2013 at 11:00 PM, Bill Cox <waywardgeek at gmail.com

>     Scrypt, used by FreeCoin, shows how to do truly effective key
>     stretching,
>
>
> I'm really positively surprised to read this sentence. I would have
> never expected cryptocurrencies to be a reason people started talking
> about using expensive KDFs for something like password authentication.


It's money.  They are serious.  Bitcoin is the cutting edge for what 
really matters in crypto -- money.


...
> There are people who really should know better: IETF WG members,


Why do you think they should know any better?  Just curious...

This is like the old von Mises fallacy of government regulation.  He 
asked why it is that people think that the government knows more about 
the market than those in the market?  When you analyse what happens in 
the real world, all the signs point to the opposite:  if people knew 
more about the market than the players, then they would be in the market 
making money.  The reason they join the government is more likely that 
they know too little to be in the market.

What's that old saw about teachers?


> Unfortunately, there are many programmers that share your attitude that
> crypto is way cool, but *don't* spend anywhere near enough time actually
> studying it before making the next big privacy-preserving social
> application with "military-grade AES 256-bit security." If they did, I
> think we'd see a lot more scrypt, bcrypt, PBKDF2, SRP, etc., and much
> fewer homegrown, ineffective contraptions.


Knowledge is more like a pyramid than a set of wings.  We need a big and 
broad base in order to build towards the sun.



iang