Reassurance - RubyFlow's passwords are hashed and salted
Given the recent nightmares Gawker (and some of its users) have been having, I should reassure you that the passwords on RubyFlow are (and always have been) salted and SHA-1 hashed. Nonetheless, use different passwords everywhere or a tool like 1Password where possible! Also consider this a reminder to check your own apps’ password systems.. :-)
Comments
http://www.golubev.com/hashgpu.htm
2,300,000,000 SHA-1 hashes/sec on one video card. And I think I saw something come across my feed reader of someone running 8 of these cards in parallel. On one box.
I know it’s super hard to change now, but anyone writing new apps, if you are storing passwords please use bcrypt. It’s super easy, and designed to be slow to prevent brute forcing, unlike md5 or sha1 which are designed to be fast to facilitate checksumming of large files.
Yes, please use bcrypt.
The bcrypt-ruby library is super easy to use and, if converting an existing application, how about you just rehash everyone’s password the next time they log in and store whether the hash is bcrypt or not (actually pretty easy as the string will contain ‘$’ and a SHA1 hash will not.
what about a switch to https for the hole site?
https for the whole site is the only way to prevent session hijacking on open wi-fi. That said bcrypt should really be used for passwords not SHA-1.
Seriously, use HTTPS for the Signup and Login pages, and every page once logged in. It’s the year 2010, and I would like my Password and Cookie to be encrypted while in transit.
Also +1 for bcrypt.
Hi, I know this is not the place to ask this, but I couldn’t find any place to ask this. How can I get/reset my password? There ain’t any link on the site like ‘Forgot password’??
I have the same question as Millisami, how do I reset my password?
+1 for bcrypt too.
Post a comment