Well to be fair, Microsoft used to be entirely proprietary until recent.
Same thing with things like Ghidra; used to be a completely locked up proprietary software for NSA, now it’s open source.
Boof
Well to be fair, Microsoft used to be entirely proprietary until recent.
Same thing with things like Ghidra; used to be a completely locked up proprietary software for NSA, now it’s open source.
Hashing on client side is both more private, and secure. All the user ever submits is a combined hash (auth/pubkey) of their username + password.
If the server has that hash? Check the DB if it requires 2FA, and if the user sent a challenge response. If not, fail the login.
Registering is pretty much the same. User submits hash, server checks DB against it, fail if exists.
Edit: If data is also encrypted properly in the DB, it doesn’t even matter if the entire DB is completely public, leaked, or secured on their own servers.
Argon2 is the best (secure) crypto currently.
That said, adoption is slow, Bitwarden only recently implemented it for example.
That said, due to Argon2 being security-oriented, the recommended settings for it are pretty heavy.
Well to be fair, if they’re hashing serverside, they were doomed to begin with.
But yeah, there’s a lot of ways to DDoS, and so many tools that just make it a 1 button click.
Your password could also just be a long, unique sentence, without any excessive special characters. Maybe even a poem.
Like "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vestibulum eu leo eu nibh efficitur viverra. Integer lacinia tortor est, quis aliquet tortor varius sed. Sed dapibus vel turpis at suscipit. Nulla consequat orci in nibh dapibus sodales. Phasellus at arcu ac dolor suscipit pretium. Curabitur sit amet justo sit amet ipsum scelerisque accumsan ac ac nulla. Nullam accumsan lorem sagittis iaculis varius. Nullam convallis nisi ante, id congue diam tincidunt vel. Aliquam sed iaculis mauris. Nam leo nisi, consequat sed sodales non, tempor vel ante. Nunc eleifend vulputate turpis bibendum bibendum. Morbi nec massa in mi sagittis lacinia id ut metus. Maecenas gravida mi vitae lorem laoreet sagittis. "
That’s alot of common characters and words; yet, it’ll take centuries to crack.
That’s a misunderstanding of DDoS. 0 byte packets are actually worse than large packets.
Which is why most DDoS (at least was) is extremely slow 0 byte requests until the server throttles/crashes under the number of requests.
E: Consider this. Are you more likely to throttle a bandwidth of terabytes/petabytes with couple million 1gb requests; or break it entirely by sending >4294967295 0 byte requests that effectively never stop being requested from the server?
Old Steam calling.
Website and Client used different password rules, what worked for the other didn’t in the other.
I’d say no. While yes for example in game development we’ve had new tech come up that wasn’t there 10-30 years ago, the “how” to do it was on paper decades earlier. It just wasn’t feasible to implement with current technology.
Due to IDE’s etc, it’s significantly easier to just create stuff these days, which for indie etc is extremely good.
It does however also mean that the implementation of tech X will be sub-optimal in most situations, because people don’t really understand the underlying tech.
That can be solved in non-corporate situations by asking for help/advice online, or looking it up; but in corporate that’d likely get you branded “overqualified”, and they’d fire your ass for focusing development time on improving/fixing something instead of just pushing, pushing, and pushing.
'course there are also programming fields specifically targeting to improve gaps left by IDE’s etc, to make them even easier and efficient to use.
So basically: Fuck big corpo, fuck “education” that prepares you for corporate rather than teaches you the fundamentals.
Yes, software is getting worse, as education and corporate are getting worse.
Where employees needed to know what they actually were doing in the past, now is mostly auto-filled by IDE’s and languages that target other languages, so employees need to know less and less fundamentals.
Which in turn means when a low-level error occurs, either no one knows how to fix it, or the corporate refuses to hire someone who knows how to fix it because they’re “over-qualified”, and therefore would “cost them too much”.
Code obfuscation and proprietary code.
It’s more so lucky that there was someone diligently doing that. It could’ve easily gone unnoticed had there not been someone like him.