|
McGlockenshire posted:The whole 2a/2x/2y thing has to do with some edge case or another. Backwards compatibility, basically. $2a$ was broken, $2y$ is fixed, $2a$ and $2x$ are for if you need to match against a hash generated by the old, broken $2a$.
|
#
?
Oct 7, 2012 00:12
|
|
|
|
| # ? May 16, 2024 22:03 |
|
|
McGlockenshire posted:As long as you manually pick a large enough cost parameter, yes, plain old PHP crypt() will do the job fine: Putting configuration parameters inside a string like that is a horror.
|
|
#
?
Oct 7, 2012 00:13
|
|
|
McGlockenshire posted:Be sure to RTFM and check the constants before using it. Yeah, I read that page; I just wanted to make sure it was indeed using the same bcrypt() as everywhere else, and that the Blowfish variant was the right one. I'll keep that in mind. Encasing the parameters into the string definitely seems like a horror, though. Why the gently caress would you do that? 
|
|
#
?
Oct 7, 2012 00:20
|
|
|
This way you can use the result of crypt() as the salt parameter and get the same result. You read the hashed output from whatever credential store you use (maybe /etc/shadow), pass it to crypt() again and if the result is the same then the key was correct. And the reason why this isn't stored out of band is UNIX. (In the original implementation, which always used DES, the first two bytes of the result were the salt. So the easiest way to check passwords is just checking that crypt(password, hash) == hash, because crypt only used the first two bytes of the salt parameter anyway. And since everybody did that anyway, allowing for other algorithms was most portably done by using some kind of marker in the salt value.) Bonfire Lit fucked around with this message at 00:45 on Oct 7, 2012 |
|
#
?
Oct 7, 2012 00:36
|
|
|
if you have some old function that only takes some number of parameters, and you want to add functionality that those parameters are insufficient for, wouldn't the right way to do it be to make a new function that takes more parameters, and then have the old function just transparently keep working the way it always did (either by calling the new function with certain additional parameters, or just by not altering it at all).
|
|
#
?
Oct 7, 2012 00:51
|
|
|
Then you would also have had to change the format of the /etc/passwd file, to include another field for password metadata. By keeping the file format and the call interface, old software is still able to read existing passwd files and check the passwords by crypt() calls without knowing about the new algorithms. It's a quite good solution if you ask me. Sure, if it was a brand new design something else had been prettier, but for a retrofit it's good.
|
|
#
?
Oct 7, 2012 00:56
|
|
|
Zamujasa posted:Encasing the parameters into the string definitely seems like a horror, though. Why the gently caress would you do that?
|
|
#
?
Oct 7, 2012 02:08
|
|
|
Time for another stupid question: suppose you have a user's stored bcrypt'd password and it is from so long ago that the work factor is unsatisfactory. Can you increase the work factor by some means and then discard the old version, or do you need access to the original password in order to do anything?
|
|
#
?
Oct 7, 2012 04:57
|
|
|
I expect that you'll need the original password. You could just wait for the next user login and rewrite it then...
|
|
#
?
Oct 7, 2012 05:07
|
|
|
Both PBKDF2 and bcrypt require the original passphrase and salt at each iteration of the stretching function.
|
|
#
?
Oct 7, 2012 05:34
|
|
|
You could rehash the already hashed password.
|
|
#
?
Oct 7, 2012 05:46
|
|
|
Just have the affected people update their passwords and use the new work factor. Or just ask what circumstances a low work factor on some passwords would cause actual security issues that aren't totally overshadowed by all the other bad things that would need to happen first.
|
|
#
?
Oct 7, 2012 18:14
|
|
|
McGlockenshire posted:I expect that you'll need the original password. You could just wait for the next user login and rewrite it then... The Gripper fucked around with this message at 18:45 on Oct 7, 2012 |
|
#
?
Oct 7, 2012 18:43
|
|
|
I bet you thought you'd seen all the weird coding styles people use. Well, I bet you've never seen semicolons at the start of lines.
|
|
#
?
Oct 8, 2012 04:13
|
|
|
yaoi prophet posted:I bet you thought you'd seen all the weird coding styles people use. Well, I bet you've never seen semicolons at the start of lines. If you're going to come up with a wacky style at least make it so that it inflates your line count!
|
|
#
?
Oct 8, 2012 04:18
|
|
|
yaoi prophet posted:I bet you thought you'd seen all the weird coding styles people use. Well, I bet you've never seen semicolons at the start of lines.
|
|
#
?
Oct 8, 2012 04:28
|
|
|
yaoi prophet posted:I bet you thought you'd seen all the weird coding styles people use. Well, I bet you've never seen semicolons at the start of lines. This code is why we have perltidy.
|
|
#
?
Oct 8, 2012 04:48
|
|
|
I love node.js and its whole constellation: https://github.com/visionmedia/n/issues/86#issuecomment-9215077 quotes from the maintainer of a node packaging system (that's in package managers in on major distributions) on a bug that causes bin, lib, share, and include to be deleted from /usr/local whenever you try to install the latest stable version: visionmedia posted:hahahaha good call on thanks giving i just got home. I haven't been reviewing PRs properly for n(1) lately since I don't have much time, if they don't work as advertised, sorry haha, I'd love to have someone else maintain n(1) if anyone is up to it. limbo-merges seem to be digging a grave visionmedia posted:well ideally it "just works" and continues to "just work" but it's been slowly more and more messed up as I've merged half-baked patches and node changing conventions etc visionmedia posted:yeah it's kinda tough when you have 250+ OSS projects, inevitably some get messed up over time and I merge broken poo poo haha, funny thing is then I get comments like the one guy in here visionmedia/jade#629 trying to make me merge something I haven't properly reviewed and that has low test coverage, at the end of the day every feature or bit of code is something I have to maintain
|
|
#
?
Oct 8, 2012 05:35
|
|
|
That is pretty depressing to read, mainly because he has written stuff that a large majority of node.js uses such as express.js, jade, and mocha. Must be nice to have the problem of my projects being so popular that he doesn't have time for them, but should let people know that. Although I honestly never heard of n, always thought nvm was the main one. Edit: wow, looking at the pull request, I can see how he could miss it but man that sticks out like a sore thumb once you see it. Strong Sauce fucked around with this message at 06:15 on Oct 8, 2012 |
|
#
?
Oct 8, 2012 06:03
|
|
|
This isn't a coding horror, but is a bit of a coding related horror. I'm currently looking for freelance work, and quoted one guy my rate of $80-100.00 per hour, and this is how he responded: quote:Unfortunately, the rate you've asked for is entirely out of the range that we're looking to hire someone within (your min $80/hr = $153,000+/year, average software engineer salaries in Canada are $41,000-$80,000/year) I don't even... 
|
|
#
?
Oct 8, 2012 06:15
|
|
|
"Wait, so what does the 'free' in 'freelancer' mean?!"
|
|
#
?
Oct 8, 2012 06:31
|
|
|
Optimus Prime Ribs posted:This isn't a coding horror, but is a bit of a coding related horror. Wow they're asking for.. $20 - $40 per hour..?  And he's also judging it based on ~2000 hours per year, the average amount of work an American does fulltime, too.
|
|
#
?
Oct 8, 2012 06:49
|
|
|
Volte posted:Haskell programmer found That was actually invented in the Perl universe.
|
|
#
?
Oct 8, 2012 07:44
|
|
|
Jewel posted:Wow they're asking for.. $20 - $40 per hour..? It's pretty stupid that they scale short-term work up to the cost it would be if they were hired full-time. It should really just be "if I had to buy a product to fix this rather than pay a person, what would that be worth to me" since in the end the result is the only thing that matters.
|
|
#
?
Oct 8, 2012 10:58
|
|
|
SQL code:
|
|
#
?
Oct 8, 2012 11:52
|
|
|
My name aint Jerry posted:
Someone doesn't know that Postgres doesn't cluster around PKs?
|
|
#
?
Oct 8, 2012 13:26
|
|
|
Zombywuf posted:Someone doesn't know that Postgres doesn't cluster around PKs? I'm don't even know if you're saying that having multiple columns in a Primary Key is good or bad. I'm pretty certain that having a column named "id" which isn't a primary key has to be a good contender for worst idea of the year. I'm quite confident the code that handles this table act as if it is, of course.
|
|
#
?
Oct 8, 2012 15:17
|
|
|
My name aint Jerry posted:I'm pretty certain that having a column named "id" which isn't a primary key has to be a good contender for worst idea of the year. Foreign Keys would like to have a word with you.
|
|
#
?
Oct 8, 2012 15:22
|
|
|
Wozbo posted:Foreign Keys would like to have a word with you. Wouldn't the foreign key have a more descriptive name than 'id'? Unless there was only one table foreign keys could come from I guess... But still.
|
|
#
?
Oct 8, 2012 15:25
|
|
|
I'm an idiot and misread and thought he said anything with "id" in it. My bad. On topic: When I do do table pks with id I always call it autoid when I do table design with an auto increment int, dunno why. Is that a code horror?
|
|
#
?
Oct 8, 2012 15:26
|
|
|
Bunny Cuddlin posted:I love node.js and its whole constellation: Didn't NPM have a release that rm -r'ed root a couple years back?
|
|
#
?
Oct 8, 2012 17:31
|
|
|
My name aint Jerry posted:I'm don't even know if you're saying that having multiple columns in a Primary Key is good or bad. I'm pretty certain that having a column named "id" which isn't a primary key has to be a good contender for worst idea of the year. I think I was assuming it was a workaround for Postgres not having a "create clustered index ..." written by someone who had failed to understand why it doesn't have such a command.
|
|
#
?
Oct 8, 2012 17:43
|
|
|
code:
|
|
#
?
Oct 8, 2012 19:53
|
|
|
Optimus Prime Ribs posted:This isn't a coding horror, but is a bit of a coding related horror. And yeah if he's comparing your total up front hourly rate to only the salary compensation of hiring a regular employee (perhaps more presuming you're specialized in whatever sub-domain the product falls under) , and extrapolated out a full year of full time work and doesn't see the huge gaps in that logic then he either needs to gain some new perspective of the situation (which can happen a lot) or else it's just a sign that that might be a disaster project to work for because you'll never be able to manage his expectations. EDIT: Also those canadian salaries look wrong to me, at least the low end isn't realistic from what I've seen and the top end is only that low for junior level fresh out of college type positions. Bhaal fucked around with this message at 20:01 on Oct 8, 2012 |
|
#
?
Oct 8, 2012 19:54
|
|
|
Optimus Prime Ribs posted:This isn't a coding horror, but is a bit of a coding related horror. This sounds like a challenge to battle, to me. Bargain for great justice!
|
|
#
?
Oct 8, 2012 20:52
|
|
|
I know student code is kind of a weak post because all students write bad code, but this is hilarious to me because of the outcome it had. In my data structures class last week, I made a side comment about how if the only operations you had were push/pop/top for a stack (i.e., no size() method), how would you get the size non-destructively? Well you could pop everything from one stack to another until an exception is thrown, counting as you go, then push everything back onto the original stack and return the count. Not that you should ever do this -- I just wanted to get them to think about how the operations work at a deeper level with respect to the ordering of elements. Well one student apparently took this advice to heart. As part of his project, he submitted a stack class that uses an ArrayList to store its elements. Instead of having its size() method return the array list's size, it does this: code:I'm tempted to give the student a prize for writing code so bizarre that the instrumentation tool couldn't even figure it out. That takes some effort.
|
|
#
?
Oct 8, 2012 23:41
|
|
|
The real horror is the 1 == 1 there.
|
|
#
?
Oct 8, 2012 23:44
|
|
|
Flobbster posted:I'm tempted to give the student a prize for writing code so bizarre that the instrumentation tool couldn't even figure it out. That takes some effort. Edit; oh, Java, I thought it was C# and stack.size() was his own method. The Gripper fucked around with this message at 00:01 on Oct 9, 2012 |
|
#
?
Oct 8, 2012 23:50
|
|
|
The best part is how he actually uses stack.size() (I'm assuming "stack" is an ArrayList) in that insane method -- if he knows it exists, why not just return that?
|
|
#
?
Oct 8, 2012 23:55
|
|
|
|
| # ? May 16, 2024 22:03 |
|
|
Bhaal posted:EDIT: Also those canadian salaries look wrong to me, at least the low end isn't realistic from what I've seen and the top end is only that low for junior level fresh out of college type positions. The minimum end is a bit low (I don't know where he got those figures from) but $80,000.00 isn't too inaccurate. NinjaDebugger posted:This sounds like a challenge to battle, to me. Bargain for great justice! I just politely explained that my rate is a freelance rate, not an employed rate, and that my rate is actually below average. Then went on my way. Pretty sure I dodged a bullet by not working with the guy anyways. Can't even imagine what his work ethic is like if he thinks $80.00 per hour is an unreasonable rate.
|
|
#
?
Oct 9, 2012 00:20
|
|