[jonny_noog]

I agree on all points. I like the name of your plugin(s).

The main issue I have with bcrypt-ruby as I said is that there is basically no Windows support for it that I can find. I know that most of us who develop with Ruby/Rails use a Mac or Linux/Unix but there are some, like my business partner, who still use Windows as their development environment. For a Rails plugin or Ruby gem, I think it would be really nice if at least some effort was made to keep it more easily cross-platform compatible for those of us who are not C coders.

But, I really think for anything that is not being used in the NSA, Sha256 + salt would work just fine.

As I said, I'm no security expert, but the reading I have done would lead me to agree with you. It's all about degrees of security with the trade-off always being more security means less convenience for someone, be it the developer or the end user. I've weighed the security/convenience issue for me at this point in time, and I'm sticking with salted SHA256.

[tptacek]

The trade-off is indeed the security of your users versus the convenience of your developers.

That said, I don't so much care whether you store your passwords with a demonstrably inferior scheme like Authgasm's default or the 1-line-delta variant of it that resolves its biggest problem. It's fine to be ignorant about this stuff; it's not going to make you 1 extra dollar to do it right.

Just don't be militant about your ignorance.

[jonny_noog]

Just for the record, I'm not using Authgasm, not because I have any problem with it, I just chose to write the login stuff for my current project myself for various reasons I won't go into and had done so long before I came across this post.

I don't think I'm being militant about anything... Just carrying on what was a reasonably pleasant and honest conversation. Yes, part of my decision was to do with that my partner is a Window's user and I can't do anything about this at the moment. But the other part of the calculation that you overlook is that my current project is not one that requires over the top, secret squirrel encryption on stored passwords. This consideration came into it as well.

You sound bitter, man. Maybe you should take a nap and stop being so militant yourself.

[tptacek]

Why do you think your application doesn't require "over the top" encryption on stored passwords? Who are your users?

[jonny_noog]

So what, I'm meant to reply with something like "Um, my users are people..." and then you say something like "Well people pick shit passwords..." and so on.

Did the SHA eat your babies or something? :P

Seriously though, probably "over the top" was not a good choice of term. In a perfect world, I agree with the unspoken point you're trying to lead me into, which seems to be that all applications should never compromise on their security regardless of convenience or who their users are etc. But surely you must agree that in the real world this isn't always viable. I don't have unlimited time at my disposal.

If my current situation allowed it, I would use bcrypt based solely on the fact that OpenBSD recommend it.

However, my current situation does not allow this. Therefore, I have made a pragmatic decision that will enable me to continue moving towards my goal. I'm not going to apologize to you or anyone else for this.

I appreciate that you are passionate about what I assume is your chosen field of expertise, but perhaps in the future you could try talking to people more so than down to them. You might just find it yields friendlier results.

[tptacek]

No, you've totally missed my point. I wanted to know, do you not have real users? Can arbitrary people not sign up for your application? Does it have a closed user base? Is it an enterprise product? Because, then, maybe password storage isn't an issue for you.

Otherwise, your users aren't simply giving you "shit passwords". They're giving you their bank password. Normal people do not make up 16 different passwords for all their web applications. If you take passwords from normal people on the Internet, and you ever get popular, you will come into possession of a large database of Bank of America credentials.

So yes, maybe you ought to consider being careful with them.

[jonny_noog]

Doesn't using the same password everywhere (particularly if it's also your online banking password) qualify it as a "shit password" as I so eloquently put it? :)

In any case, I accept that there should be some degree of responsibility taken by the developer to try and protect their users information, lest we get the whole Reddit situation.

But as someone once said, you can't make the Internet idiot proof.