djm's scribble

After releasing py-bcrypt, I noticed that there is no equivalent for Java. Worse, the top two Google recommendations for “Java password hashing” and “Java password encryption” are really bad: one example uses reversible encryption (using single-DES ECB mode no less), where reversible encryption should only be used when it is really needed and as a last resort. The others recommend the use of an unsalted hash, which allows reverse lookup of the original password from a pre-computed dictionary of digests (a.k.a a “rainbow table”). (I refuse to link to the articles, because by doing so I would further cement their status at the top of Google’s rankings and thereby perpetuate their bad advice)

Why should developers care about the reversability of password encryption or hashing? Because users have been shown to frequently use the same password in multiple places, and if your password database is disclosed then the attacker can revese it at their leisure and then use it to attack other services that your customers use.

I think the best remedy for this situation is to release an implementation of a good password hashing scheme for Java: jBCrypt. This uses the same algorithm as py-bcrypt: Provos and Mazieres’ “A Future-Adapable Password Scheme”, first introduced by OpenBSD and now available in other operating systems (including Solaris 10+). jBCrypt has a really simple API, a license that is very permissive, and a set of JUnit tests to make sure it works.

I just released py-bcrypt, a Python implementation of OpenBSD’s Blowfish password hashing after needing a good password hash for a web application. Hopefully making it available it will encourage people to use it instead of perpetuating stupidities like storing their web application’s passwords unhashed, or as a simple md5(plaintext).

Well done sis! I know you put in a lot of effort and it is wonderful to see it pay off. Don’t stop your study, you will need it more than before now.

I have posted my TODO list for OpenBSD-related things. My already-scant free time is diminishing rapidly and (sadly) I doubt that I’ll have many opportunities to work on any of these things this year.

We are getting close to releasing OpenSSH 4.4 and this version will include a surprising number of useful features. There is some of a list in the call for testing email that I sent to the portable OpenSSH list a week ago. If you use OpenSSH, then please try one of the snapshot releases, or at least download it, run “./configure && make tests”. The snapshot releases are very stable, and you could consider running them on workstations or non-production servers. You can report your findings (success or failure) back to the openssh-unix-dev@mindrot.org mailing list (if you are not subscribed then you will need to complete a one-time authentication challenge to prove that you are not a spam robot).

My wife and I saw Michael Heneke’s Hidden last night. It was the most finely crafted piece of film that I have seen in several years. From the first scene the film plays with the viewer - making us question what it is that we are seeing, making us consider whether our middle-class comfort is as fragile as Georges’ and whether we would really be able to display more integrity than he does, causing us to recall demons that lurk in our suppressed personal and cultural pasts. Heneke tells the story without hurry and with an almost Cinéma vérité style (this is one of the games he plays with the viewer), but I did not find a single moment slow or boring - I was fascinated the entire way through.

10/10 - it is tempting to take half a point off because I missed something pivotal in the final scene leading me to completely misinterpret it, but this just makes me want to see it again. If you watch the film, then pay attention at the end!