From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-151606-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id E89F41381F3
	for <garchives@archives.gentoo.org>; Mon, 14 Oct 2013 19:17:43 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D336DE0AC0;
	Mon, 14 Oct 2013 19:17:34 +0000 (UTC)
Received: from mail2.viabit.com (mail2.viabit.com [65.246.80.16])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id AF377E0AAF
	for <gentoo-user@lists.gentoo.org>; Mon, 14 Oct 2013 19:17:33 +0000 (UTC)
Received: from [172.17.29.6] (vpn1.metro-data.com [65.213.236.242])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail2.viabit.com (Postfix) with ESMTPSA id 3cz8fj0JMRz1hgZ
	for <gentoo-user@lists.gentoo.org>; Mon, 14 Oct 2013 15:17:32 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=orlitzky.com; s=mail2;
	t=1381778253; bh=gqKyEygbao0BtUdJlF2Cuse111BrMj18tOtEDCYmN2Y=;
	h=Date:From:To:Subject:References:In-Reply-To;
	b=ObfanebTwb9VCAAHTZhPgnHAkKByhOYN0GCTabOW/0QQAo5r6skVafaht6lSqSb6V
	 bh0vv8zQ2HOGmkUWWdcbeJjFiDbzNnj0or1QelaTKbXpuUwK5elcruQRJ+V+7VUJe2
	 0KM553dfvO6Uvy/fHDUL7nzU3uvecM3k6pZvnQz4=
Message-ID: <525C434C.8040905@orlitzky.com>
Date: Mon, 14 Oct 2013 15:17:32 -0400
From: Michael Orlitzky <michael@orlitzky.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130929 Thunderbird/17.0.9
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: scripted iptables-restore
References: <loom.20131003T210545-580@post.gmane.org> <524DD388.9020507@fastmail.co.uk> <524F39F6.4040409@orlitzky.com> <slrnl5f9ik.or9.vaeth@lounge.imp.fu-berlin.de> <E1VVIat-0001XR-Ml@lounge.imp.fu-berlin.de> <525AAADE.7040700@orlitzky.com> <slrnl5leg8.a3q.vaeth@lounge.imp.fu-berlin.de> <525ACC38.8060008@orlitzky.com> <slrnl5lvc2.cda.vaeth@lounge.imp.fu-berlin.de> <525B1878.2010908@orlitzky.com> <slrnl5nmj5.hoa.vaeth@bois.imp.fu-berlin.de> <525BFF1B.6070805@orlitzky.com> <slrnl5of5t.3ur.vaeth@lounge.imp.fu-berlin.de>
In-Reply-To: <slrnl5of5t.3ur.vaeth@lounge.imp.fu-berlin.de>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 07761630-1a09-43f5-8e4d-8dd43682f034
X-Archives-Hash: 32f9fcb53ae2ee104d47f0437b0341d6

On 10/14/2013 02:49 PM, Martin Vaeth wrote:
> 
>> Hiding the salt would just be security through obscurity.
> 
> And yet it is stupid if you do not do it and give away a
> huge constant factor for no advantage.
> 

(I'll just agree to disagree about the rest.)

Keeping the salt secret makes your application more complex. Rather than
"SELECT hash, salt FROM users WHERE...", you now have to "SELECT hash
FROM users WHERE..." and then pull the salt from somewhere else. (Where?
The filesystem? Do you encrypt that? How?)

What's stupid is going to all that effort for a 2x improvement when you
could twiddle a bit and get a 340282366920938463463374607431768211456x
improvement.