Open elithrar opened 10 years ago
Password storage
https://github.com/astaxie/build-web-application-with-golang/blob/master/en/eBook/09.5.md
Most of the solutions there don't solve the problem:
Your examples should be realistic - writing about password storage and then going on (in a later chapter!) to use an insecure method is harmful to new developers.
On Fri, Aug 15, 2014 at 9:10 AM, astaxie notifications@github.com wrote:
https://github.com/astaxie/build-web-application-with-golang/blob/master/en/eBook/09.5.md
— Reply to this email directly or view it on GitHub https://github.com/astaxie/build-web-application-with-golang/issues/354#issuecomment-52264507 .
base64 is an encoding type, not an encryption method. There are no secrets, no keys. I would remove the base64 section from that chapter entirely.
On Fri, Aug 15, 2014 at 9:16 AM, Matt S matt@eatsleeprepeat.net wrote:
Most of the solutions there don't solve the problem:
- Salted MD5 is still a very, very bad choice (esp. using application-wide salts)
- Salted SHA-1 or SHA-2 (i.e. SHA-256) are only slightly better, but still bad
- You mention scrypt in passing only
- The example code you are providing in a tutorial for new Go developers is severely insecure, and sets a bad standard.
Your examples should be realistic - writing about password storage and then going on (in a later chapter!) to use an insecure method is harmful to new developers.
On Fri, Aug 15, 2014 at 9:10 AM, astaxie notifications@github.com wrote:
https://github.com/astaxie/build-web-application-with-golang/blob/master/en/eBook/09.5.md
— Reply to this email directly or view it on GitHub https://github.com/astaxie/build-web-application-with-golang/issues/354#issuecomment-52264507 .
Your examples should be realistic
yep, I should improve these code.
base64 is an encoding type, not an encryption method.
I have mentioned at start:
If the Web application is simple enough, data security is no less stringent requirements, then you can use a relatively simple method of encryption and decryption is base64
No. You have said encryption. base64 does not encrypt anything at all and is not a "relatively simple method of encryption".
Base64 (http://en.wikipedia.org/wiki/Base64) is just a way to encode data within a defined set of characters. There's no security - not even "simple" security. Delete that entire section from the document.
On Fri, Aug 15, 2014 at 9:23 AM, astaxie notifications@github.com wrote:
Your examples should be realistic
yep, I should improve these code.
base64 is an encoding type, not an encryption method.
I have mentioned at start:
If the Web application is simple enough, data security is no less stringent requirements, then you can use a relatively simple method of encryption and decryption is base64
— Reply to this email directly or view it on GitHub https://github.com/astaxie/build-web-application-with-golang/issues/354#issuecomment-52265211 .
You're teaching people the wrong thing. MD5 should never be used for anything security-related, even in "small" programs. Do it correctly and use something like bcrypt.
Your claim that base64 is encryption/decryption is also plain wrong. There's no debate about this. Base64 is not a form of cryptography in any way whatsoever.
Here's some material you can read to learn more about the subject:
This was resolved in https://github.com/astaxie/build-web-application-with-golang/pull/824... 7 years ago 😅
MD5 hashes are easily brute forced (or bypassed with a rainbow table) - especially so when unsalted.
I strongly suggest changing your Custom Authentication example to use Go's bcrypt package, which is both simple to use and extremely secure.
The login code would therefore become:
... and in the registration process:
For further reading: http://yorickpeterse.com/articles/use-bcrypt-fool/