[anonymoushn]

bcrypt does not allow me to not use a salt. A connection is the same if it's the same file descriptor and it's been open continually. My client uses public key pinning to ensure it is talking to my actual server. I don't have any mechanism to prevent someone who can break TLS and take over TCP connections from impersonating users in my online game.

[pushpop]

Re salt, presumably you’re storing that bcrypt as a hashed string though?

Re TCP connections, I was thinking HTTP proxies. Sounds like this isn’t HTTP traffic though so that’s not an issue.

Also why was my previous comment negative karma’ed? All I was doing was asking a couple of questions on a post that’s quite vague. The amount of abuse HNs rep system gets is pretty absurd.

[anonymoushn]

I'm storing strings like

  > =bcrypt.digest("hello", bcrypt.salt(10))
  $2y$10$r4hm7bIEdyth2ni8ufmpvuIQqnPeJSOAHne1Mk1yC0FPsIxP.lKsS

This string includes the algorithm, the difficulty, the salt, and the hash, so bcrypt.verify can do everything for me when someone tries to log in.

I appreciate your line of questioning. My reply to the top-level thread is pretty low value, since most people are trying to build web services that need sessions that persist across connections.

Complaining about downvotes is usually a way to collect more downvotes. This is partially because people are aware that it is against the guidelines at https://news.ycombinator.com/newsguidelines.html and partially because people get some sadistic pleasure out of punishing minor transgressions.

[pushpop]

Ahhh awesome.

The game stuff sounds interesting too.

[muldvarp]

You're getting negative karma'ed because your comment shows a lack of understanding of what bcrypt is and what it does. Here's a short explanation: bcrypt is a hash function that you should use for storing hashed passwords. When calculating the bcrypt hash of a string, a salt is automatically added. The result you get looks something like this: `$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy` The 2a specifies which version of bcrypt was used, the 10 is the number of rounds, N9qo8uLOickgx2ZMRZoMye is the salt and the remaining characters are the hash. When checking this hash against a password you have to call a second function and pass in the password as well as the hash. This second function will automatically parse the passed in hash and calculate the hash of the password with the same number of rounds and the same salt.

[pushpop]

Nar, I’m familiar with bcrypt. I was just getting bcrypt mixed up with scrypt. Doh.

Even so, that’s still not a good enough reason to -rep without feedback.