This oral history of password storage on the Web originally appeared as a remark in the #infosec channel of the Hangops slack—the conversation had turned to a mention of “hashed, salted passwords” in a breach announcement in a way that made me suspect at least some of our friends had not studied the topic in detail. Several participants then encouraged me to expand the remark into a blog post, and now here we are.While I was around for some of this, much of it predates my career; everything is as accurate as I can reasonably make it, but corrections of gross errors are welcomed.The first time people attempt to design a Web login system, they will usually default to simply inserting their users’ passwords in their database. This solution is simple, obvious, and wrong.The problem is that database storage is not nearly as private as we would all like it to be. Even the databases that we’d
Noel nilium
🍉
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --[[ | |
| Copyright (c) 2009 Noel R. Cower | |
| Permission is hereby granted, free of charge, to any person obtaining a copy | |
| of this software and associated documentation files (the "Software"), to deal | |
| in the Software without restriction, including without limitation the rights | |
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
| copies of the Software, and to permit persons to whom the Software is | |
| furnished to do so, subject to the following conditions: |
nilium
/ bmxparser.bmx
Created
August 12, 2010 08:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Rem | |
| Copyright (c) 2010 Noel R. Cower | |
| This software is provided 'as-is', without any express or implied | |
| warranty. In no event will the authors be held liable for any damages | |
| arising from the use of this software. | |
| Permission is granted to anyone to use this software for any purpose, | |
| including commercial applications, and to alter it and redistribute it | |
| freely, subject to the following restrictions: |
nilium
/ binpack.cc
Last active
December 12, 2015 03:18
Rudimentary tree packing class. Mainly intended for use with packing images for use in texture atlases. Uses pointers, so it's inherently evil.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // binpack.cc -- Noel Cower -- Public Domain | |
| #include "binpack.hh" | |
| namespace snow | |
| { | |
| binpack_t::binpack_t(const recti_t &frame, binpack_t *right, binpack_t *bottom) : | |
| pack_right_(right), pack_bottom_(bottom), frame_(frame), loaded_(false) | |
| {} |
nilium
/ classes.lua
Created
August 1, 2009 02:15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --[[ | |
| Copyright (c) 2009 Noel R. Cower | |
| Permission is hereby granted, free of charge, to any person obtaining a copy | |
| of this software and associated documentation files (the "Software"), to deal | |
| in the Software without restriction, including without limitation the rights | |
| to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
| copies of the Software, and to permit persons to whom the Software is | |
| furnished to do so, subject to the following conditions: |
cite-reader
/ history-of-password-storage.md
Last active
July 9, 2020 18:24
An oral history of password storage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # cleanroom: run a command or shell in a clean, temporary copy of a repository. | |
| case "$1" in | |
| -h|-help|--help) | |
| cat <<'USAGE' | |
| Usage: cleanroom [-h|-help|--help] [CMD...] | |
| Execute a command in a clone of the current repository, made under | |
| a temporary directory. |
Yes. Here are some:
- jo_gif.cpp: tiny GIF writer (public domain)
- gif.h: animated GIF writer (public domain)
- tiny_jpeg.h: JPEG encoder (public domain)
- lodepng: PNG encoder/decoder (zlib license)
- nanoSVG: 1-file SVG parser; 1-file SVG rasterizer (zlib license)
- tinyobjloader: wavefront OBJ file loader (BSD license)
nicowilliams
/ fork-is-evil-vfork-is-good-afork-would-be-better.md
Last active
November 5, 2023 12:14
fork() is evil; vfork() is goodness; afork() would be better; clone() is stupid
I recently happened upon a very interesting implementation of popen() (different API, same idea) called popen-noshell using clone(2), and so I opened an issue requesting use of vfork(2) or posix_spawn() for portability. It turns out that on Linux there's an important advantage to using clone(2). I think I should capture the things I wrote there in a better place. A gist, a blog, whatever.
This is not a paper. I assume reader familiarity with
fork()in particular and Unix in general, though, of course, I link to relevant wiki pages, so if the unfamiliar reader is willing to go down the rabbit hole, they should be able to come ou