Cryptography and D
Nick Sabalausky via Digitalmars-d
digitalmars-d at puremagic.com
Sun Jul 6 12:35:54 PDT 2014
On 7/6/2014 9:49 AM, Kagamin wrote:
> On Saturday, 5 July 2014 at 21:50:59 UTC, Nick Sabalausky wrote:
>> 3. Too late anyway: See std.digest. Besides, if anything, std.digest
>> is arguably *worse* because (until 2.066) it only provides the worst
>> choices.
Slight correction: Apparently RIPEMD 160 and up are a lot better than I
thought. My mind automatically associated it with ~MD5, which I guess is
an inaccurate comparison.
>> std.random isn't much better. Granted, it doesn't claim to be
>> crypto-grade, but it doesn't clearly state that it *isn't* and that's
>> just as bad: People are going to to decide (incorrectly) they can use
>> it to generate salts or tokens or whatever, and they will do so. Heck,
>> *I've* even done it, and *I'm* someone who actually knows better.
>
> The default PRNG is routinely used for salt generation :)
> Granted, your library makes it easier to use good salts. Though, it
> needs examples or tutorials, how to actually use the library correctly.
If this isn't good enough then I'm open to pull requests or more
specific suggestions:
https://github.com/abscissa/DAuth#typical-usage
Granted, the less typical (ie more heavily-customized) use-cases could
use some tutorials.
In the expected typical use-case, proper salt generation is completely
transparent to the lib's user.
More information about the Digitalmars-d
mailing list