Fabians Bookmarks

This cheat sheet advises you on the proper methods for storing passwords for authentication. When passwords are stored, they must be protected from an attacker even if the application or database is compromised. Fortunately, a majority of modern languages and frameworks provide built-in functionality to help store passwords safely.

However, once an attacker has acquired stored password hashes, they are always able to brute force hashes offline. Defenders can slow down offline attacks by selecting hash algorithms that are as resource intensive as possible.

To sum up our recommendations:

Use Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
If Argon2id is not available, use scrypt with a minimum CPU/memory cost parameter of (2^17), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.
For legacy systems using bcrypt, use a work factor of 10 or more and with a password limit of 72 bytes.
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 600,000 or more and set with an internal hash function of HMAC-SHA-256.
Consider using a pepper to provide additional defense in depth (though alone, it provides no additional secure characteristics).

hashing passwords security scrypt argon2

November 18, 2023 at 10:13:22 PM GMT+1*

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#scrypt

Key derivation function - Wikipedia

As of May 2023, OWASP recommends the following KDFs for password hashing, listed in order of priority:

Argon2id
scrypt if Argon2id is unavailable
bcrypt for legacy systems
PBKDF2 if FIPS-140 compliance is required

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

security passwords hashing scrypt argon2 pbkdf2

November 18, 2023 at 10:12:31 PM GMT+1*

https://en.wikipedia.org/wiki/Key_derivation_function

Berkeley Graphics - Berkeley Mono Typeface

Berkeley Mono Typeface

typeface font monospace technical

November 13, 2023 at 1:16:08 PM GMT+1*

https://berkeleygraphics.com/typefaces/berkeley-mono/

Why Your Project Doesn't Need a Contributor Licensing Agreement - Conservancy Blog - Software Freedom Conservancy

floss opensource license licensing cla

November 12, 2023 at 9:33:38 PM GMT+1*

https://sfconservancy.org/blog/2014/jun/09/do-not-need-cla/

The Big O of Code Reviews

development softwareengineering git github

November 11, 2023 at 12:43:08 PM GMT+1*

https://www.egorand.dev/the-big-o-of-code-reviews/

WICG/navigation-api: The new navigation API provides a new interface for navigations and session history, with a focus on single-page application navigations.

web webdev webdesign browsers navigation spa javascript

November 1, 2023 at 12:27:59 PM GMT+1*

https://github.com/WICG/navigation-api

xataio/pgroll: PostgreSQL zero-downtime migrations made easy

PostgreSQL zero-downtime migrations made easy

postgresql database

October 31, 2023 at 6:10:37 PM GMT+1*

https://github.com/xataio/pgroll

Test Ad Block - Toolz

ads adblock browsers tools

October 28, 2023 at 12:17:53 AM GMT+2

https://d3ward.github.io/toolz/adblock.html

Trust & Safety Tycoon

You will be tasked with growing the Trust & Safety team at a social media startup and navigating a series of difficult dilemmas. Get ready to make tough moderation decisions, shape platform policies, and invest in your team as the company scales from small startup to IPO.