I don't hate relational DB or anything but there's a small part of me that thinks a document DB like DynamoDB is better and more "correct"

Find it hilarious that Buzzfeed and Palantir have an office next to each other

Can we send the emperor back to Kyoto? The imperial palace takes up a lot of valuable space and should be a public park

Very tempted to buy a press and just make my own tortilla

Not satisfied with the frozen ones

There’s another password hash algorithm called yescrypt that’s used in a lot of Linux distributions and might be better than both argon2 and bcrypt, but a GPU implementation doesn’t exist yet so I wasn’t able to cover it in the blog

It's not a 100% fair analysis because I'm using the most common words and numbers from the leak itself but you can probably get similar results using the exact same wordlist (+ adjusting for the region/language of the user base)

Even if the password was hashed with Bcrypt of cost 9 (or Argon2 with m=16mib, t=3), that's a successful crack every 20 minutes with just a single GTX 1080 (about $100 used)

Or about 100 cracks per dollar by renting a GPU

Doing some analysis on an old password leak and 5% of the 15 million passwords or over 700,000 passwords could be be cracked in under 100,000 attempts

(minimum length of 6 with a mix of letters and numbers)

The calculation above assumes a 20 cycle read latency for RTX 3000s and before, and a 30 cycle latency for RTX 4000s and after. It also accounts 15 cycles for calculations + bank conflicts

I might be underestimating the additional cycles caused by bank conflict tho

I do find it interesting that doubling the cost of each internal iteration gives up something very close to the actual numbers, but I have no idea if that's just a coincidence or if the GPU is taking 2x longer than expected to read from memory

Calculated theoretical hashing speeds of Bcrypt at about 2x of the actual hashing speeds

I spent a while trying to calculate the theoretical hashing speeds of Bcrypt but I couldn't get something that I'm super confident in

It doesn't look *wrong* tho

Nothing major but I redesigned my website!

NINTENDO FIXED IT!!!!

Wished compact preview cards were supported

tl;dr: Argon2 is overall better against GPUs, but at a lower memory config (< 64-128 MiB) the difference isn't that significant and sometimes Bcrypt is sightly better

At high memory config like 256 MiB, Argon2 is undoubtedly better but this isn't realistic for web servers

Is Argon2 actually better than Bcrypt? Pilcrow's personal website.

Argon2 is better than Bcrypt... right?
pilcrowonpaper.com/blog/14

120hz is noticeably better than 60hz on an iPhone but I'm not finding it to be a big difference on a Mac (MacBook Pro vs Studio Display)

Played Subnautica for a few hours and I don't think it's for me

I'm not finding the combination of survival mechanics, underwater movement, and mystery solving to be that fun

Unfortunate that Apple only offers good screens with their expensive models but I guess that's a deliberate choice

Passkeys with no user verification provide more or less the same security as email OTP right?

Yeah it's not great but I don't think the premise is that bad either and this is infinitely better than forcing applications or OSes to do age verification by using AI or collecting IDs

The whole point of the legislation seems to be:
1. Allow parents to have more control over their children's online activity
2. Force applications to respect parents' decisions and do basic age checks
3. Make enforcing COPPA etc easier

I can't tell if "applications" include websites tho. The text seems to treat "software applications" and "websites" differently but idk

We might see a new web API or HTTP header?

The bigger issue is that apps have to request for the age bracket info even if they don't have a use for it. It also seems to apply to ALL devs/apps

I wonder if the signal will be included in env vars or something like that so it's technically requested by all software by default

The California law to require "age verification" in OS doesn't really seem to be about age verification. It just mandates OSs to allow parents to create accounts for children and for apps to use the age info of accounts

I get to like 80 wpm comfortably and 100 if I try hard enough. Not efficient but it works

The big downside is that this only really works on MacBooks lol

Behold my terrible keyboard finger position

blue: thumb
green: index
yellow: middle
red: ring
pink: pinky

‪I’m finding Go’s standard library to be very helpful because it supports a lot of public key formats on top of the signing algorithms but creating a parser for them is still doable‬

‪Handling attestation statements is probably a different story tho‬

Back to WebAuthn after a year and I’m fully convinced you don’t need a library for it

Well except for the crypto stuff

Implementing this in Go right now but my allergies are killing me