[pnathan]

hey man - I'm putting together an unfunded product on the side by myself, and my passwords are using scrypt, and they have a salt, and the salt is per-user, and the system rejects weak passwords based on popular entries, bad entropy, and easy guessability. It honestly wasn't more than 8 hours of foolery to get all that working. Is it ready for the credit card industry? no. But it's going to stop derps who get their hands on the DB.

[anaphor]

Yeah but you didn't learn everything you know from poorly written PHP tutorial websites and W3Schools. The words "Key-Derivation Function" are nowhere to be found in the lexicon of these people.

[girvo]

I did, originally. And it's certainly in my vocab, and in my applications where applicable.

[acchow]

> and the salt is per-user

The only kind of salt...

[yourad_io]

You're forgetting table salt.

[ars_technician]

Consider that you are just practicing cargo-cult security though. You just piled a bunch of password security recommendations parroted all over the Internet to the detriment of your users.

If you are using scrypt with a reasonable difficulty and a per-user salt, there is no reason to put the entropy restrictions, weak password restrictions, etc on your end-users. It is painful to interact with sites that enforce ridiculous password requirements.

You can get away with a 4 character password on Netflix. There is a reason for that. Security is much more subtle that password complexity.

[pnathan]

> Consider that you are just practicing cargo-cult security though.

No, I really am not. But as I didn't describe my reasons, you don't have the context to understand them.

Frankly, if Netflix has 4-character passwords, I would expect it to be relatively easy to compromise their accounts live with a carefully put together campaign. If Netflix gets their username/pw database dumped, I expect we'll see their policy change as the passwords are trivially cracked.

Not only that, putting together a safe & sane password retry system isn't the easiest thing every, and doing careful fraud detection based on geolocation/ip etc isn't the easist thing ever either. Particularly when I don't have someone working full-time on security.

Further, what you also didn't know is that the password strength functions as written have knobs I can adjust if things are too onerous.

So having harder passwords goes a long way towards 'better security' on the account side for little effort.

I would advise you to be more cautious about making unsubstantiated statements based on ignorance in the future.

[abraininavat]

Just curious if you know what class of people you're making fun of when you use the term "derp".

[fphhotchips]

You piqued my curiosity, so I went looking. According to Know Your Meme, that most prestigious and reliable of sources, "derp" originated from Trey Parker and Matt Stone. First it was in a movie (where they were sniffing underwear), and then in South Park. Now, having not seen the episode, I can't really comment on its contents, but I assume that the character that first used the term in South Park was either simply stupid, or suffered from some form of disability. Either way, the term has since devolved into making fun of stupid people - which I believe the grandparent was also doing.