|
|
|
|
|
|
by crote
497 days ago
|
|
|
> I've literally blogged about tool recommendations before Do you happen to know of a similar resource applicable to common HN deployment scenarios, like regular client-server auth? For example, in your Beyond Bcrypt blog post[0] you seem to propose hand-writing a wrapper around bcrypt as the best option for regular password hashing. Are there any vetted cross-language libraries which take care of this? If one isn't available, should I risk writing my own wrapper, or stick with your proposed scrypt/argon2 parameters[1] instead? Should I perhaps be using some kind of PAKE to authenticate users? The internet is filled with terrible advice ("hash passwords, you can use md5"), outdated advice ("hash passwords, use SHA with a salt"), and incomplete advice ("just use bcrypt") - followed up by people telling you what not to do ("don't use bcrypt - it suffers from truncation and opens you up to DDOS"). But to me as an average programmer, that just leave behind a huge void. Where are the well-vetted batteries-included solutions I can just deploy without having to worry about it? [0]: https://soatok.blog/2024/11/27/beyond-bcrypt/ [1]: https://soatok.blog/2022/12/29/what-we-do-in-the-etc-shadow-... |
|
|