[erlang-questions] Two beautiful programs - or web programming made easy

Jesper Louis Andersen <>
Wed Feb 16 13:54:49 CET 2011


On Wed, Feb 16, 2011 at 08:54, Håkan Huss <> wrote:

> Anyway, no-one stores passwords in plain text these days, right? (I
> always check the "forgot password" mechanism of web sites that I sign
> up to. If they can send me my password I tend to be wary of their
> security. If they offer to reset my password, they at least got one
> thing right...).

It doesn't really matter. If they simply decided to run SHA1 on your
password, they can't give you back your password, but it is not secure
by any means. It can be attacked by brute force and by rainbow tables
easily. Rainbow tables can be defeated by adding a salt, but the real
solution is to use a key derivation function where a check is forced
to take computing time and or memory, see PBKDF2, bcrypt and scrypt.

The only real solution is to derive a random password for each site
that wants one. You can't trust others to get crypto right, as most
often they wont.

-- 
J.


More information about the erlang-questions mailing list