Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Is there a significance to the word "salt" for a password salt?
Maybe because salt goes well with hash?
http://www.derkeiler.com/Newsgroups/comp.security.misc/2003-05/0154.html
The use of the word "salt" is probably a reference to warfare in
ancient times, when people would salt the wells or farmland to make it less
hospitable. The Romans are sometimes supposed to have done this to
Carthage in 146 BC. In the context of passwords, a "salted" password
is harder to crack.
Apparently, there's no strong evidence even for the original "salting" of Carthage (http://en.wikipedia.org/wiki/Salting_the_earth) claim, but an interesting hypothesis nonetheless.
The only meaning is that you are adding something to your password before you hash it, similarly to adding salt to your meal :-)
According to Ken Thompson, one of the first people to use the term in a book, it's related to the term "salting a mine", referring to gold mines. Whether that is "correct" or not who knows? I doubt there's an actual correct answer to this, it's just one of those terms that doesn't really have to have a reason as long as what it means is understood.
I would guess because it's easy to add "salt" (NaCl or a fixed string). But once you do, the output is irrevocably changed (food, encrypted password).
I had thought it related to the verb salt ...
(salt away) informal put by (money) secretly.
-- http://www.askoxford.com/concise_oed/saltx?view=uk
Because before you hash the password, you add a random text to it. So, it looks like as if you add some "salt" to the original "food" ... password :)
Once you add salt to food the real taste is no longer visible. So basically this is a figurative saying; add a little salt and it changes the original dish.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
PostgreSQL provides the ability to magically generate constraint names in statements like CREATE TABLE, ALTER TABLE if none are provided explicitly. The naming convention is well known and I personally like it very much. But how stable and official is it? Is it something which one can rely on for different major releases or even the next 50 years?
I always had the impression that this is an implementation detail and while a lot of people rely on it, one shouldn't and always use explicit names to properly document things instead. I think I've read something like that in the official documentation in the past, but couldn't find it anymore...
So is there a definitive, official statement how reliable this naming scheme is or if users should always try to provide explicit names?
Strictly, if it's not in the documentation, you should not rely on it.
The docs only say:
If you don't specify a constraint name in this way, the system chooses a name for you.
so strictly I should recommend not baking the constraint names into the application unless you specify them explicitly in the SQL. This will also make the connection more apparent when reading the SQL - you bothered to specify constraint names for a reason.
That said, constraint name generation has not AFAIK changed, at least since I started using Pg around 7.4. So while it's not part of the official documented API, it's probably also not especially bad to rely on it. Also, constraint names are always going to be preserved by pg_dump and pg_upgrade, so it likely doesn't matter much unless you are doing a clean reload into a new version that has changed default constraint name generation.
TL;DR: It doesn't look like they're officially defined and documented, but they're unlikely to change, and if they do the impact is minimal. So relying on them is probably OK. Just document that in the app.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 5 years ago.
Improve this question
I'm designing a REST API and trying to decide which is the more correct way of returning a single resource:
/resource/{id}
or
/resource/{name}
The ID would be immutable, so I'm thinking that it would be better to select by it, but name would be more friendly looking. What is the best practice? I've seen both used before "in the wild".
Basically REST is built on top of unique IDs, thus:
GET /resources/{id}/
should be used. However, there's nothing that prevents you from making name field unique (now it behaves as plain old ID) and build REST on top of this unique ID.
If this is not what you need and name cannot be made unique, then another option is to implement filtering via name:
GET /resources?name=<SOME_NAME>
It also should be resources (plural) since it indicates that there's a collection under the hood.
Whether using name instead is practical comes down to your business case.
Will 'name' always be unique? Or will the application deal with there being more than one occurrence?
Are 'pretty' URLs important? In most applications I've worked on, querying uses unique IDs which are never exposed to the end-user, as they have no business meaning whatsoever. They are in effect surrogate primary keys.
/resource/{id} is more technically correct, but if it were me, I'd allow both. Assuming names can't contain ONLY numbers, and ids can ONLY be numbers, you could easily detect which was supplied and allow for either to be used. ;)
This is good question .. it depends on business case example if api is used through cli like docker then you might want to use user friendly ids like name
But as soon as it become part of URL it has limitations like ASCII (to avoid url encoding or loss of readability ) char only and some defined length like 128 chars etc.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
When creating a url, I am thinking of these ways of how to do that
example.com/restaurants-in-new-york
example.com/restaurants/in-new-york
example.com/restaurants/in/new-york
So, the question is how Google considers this ? If I search restaurants in new york to which type the preference is given.
Which will have higher ranking ?
They'll all probably have the exact same ranking, no matter what. More important: Don't screw up real users when doing SEO.
Simple reasons:
You might do everything for nothing (i.e. no or no significant change).
Talking URLs are for users to know what content they can expect. They're not for search engines. if you optimize your overall appearance just for a high search engine ranking, even if people won't want your page contents, you might profit off this at first, but they won't return.
When using path separators (/) in your URL, expect users to use these. If they can't use them, you generate a bad user experience and they might rather leave your page and look elsewhere for what they're using.
Similar reason: Only use path separators if there's a real reason for them, for example, if they're some logical grouping. In your example above, the second and third variation would be bad, because the separation doesn't make any sense at all.
How I'd do it:
If we're talking about a single blog post or something like that, don't use any path separators at all: example.com/restaurants-in-new-york. That's it. Don't touch it or change it.
If we're talking about some listing, you can provide the user hints on how to quickly change their actual query or results. Here I'd use something like example.com/restaurants/new-york.
I hope you understand what my intention here is. Let's assume the user now wants to know what restaurants are there in Chicago. He won't have to navigate or look for some link. He could just edit the URL: example.com/restaurants/chicago. There he is. Good user experience. If you look at your third example, you've got that unnecessary filler in: It doesn't serve any purpose at all (hint: Google most likely ignores such fillers anyway).
TL;DR: Don't optimize for Google or any other search engine. Optimize for your users. Modern search engines are built to see pages similar to users. You can have the prettiest key words in your URLs, yet they won't help you at all if they're strictly confusing or obviously just made for SEO.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I was reading a few articles on salts and password hashes and a few people were mentioning rainbow attacks. What exactly is a rainbow attack and what are the best methods to prevent it?
The wikipedia article is a bit difficult to understand. In a nutshell, you can think of a Rainbow Table as a large dictionary with pre-calculated hashes and the passwords from which they were calculated.
The difference between Rainbow Tables and other dictionaries is simply in the method how the entries are stored. The Rainbow table is optimized for hashes and passwords, and thus achieves great space optimization while still maintaining good look-up speed. But in essence, it's just a dictionary.
When an attacker steals a long list of password hashes from you, he can quickly check if any of them are in the Rainbow Table. For those that are, the Rainbow Table will also contain what string they were hashed from.
Of course, there are just too many hashes to store them all in a Rainbow Table. So if a hash is not in the particular table, the hacker is out of luck. But if your users use simple english words and you have hashed them just once, there is a large possibility that a good Rainbow Table will contain the password.
It's when somebody uses a Rainbow table to crack passwords.
If you are worried about this, you should use Salt. There is also a Stack Overlow question that might help you understand salt a little better than Wikipedia...
This is a useful article on Rainbow Tables for the lay person. (Not suggesting you are a layperson, but it's well written and concise.)
Broadly speaking, you encrypt a vast number of possible short plaintext strings (i.e. for passwords), and store the encrypted values alongside the plaintext. This makes it (relatively) straightforward to simply lookup the plaintext when you have the encrypted value.
This is most useful for weak and/or unsalted password hashes. A popular example is the LAN Manager hash, used by versions of Windows up to XP to store user passwords.
Note that a pre-computed rainbow table for even something as simple as the LM hash takes a lot of CPU time to generate and occupies a fair amount of space (on the order of 10s of gigabytes IIRC).
Rainbow Tables basically allow someone to store a large number of precomputed hashes feasibly.
This makes it easy to crack your hashed passwords, since instead of performing a whole heap of hashing functions, the work has already been done and they virtually just have to do a database lookup.
The best protection against this kind of attack is to use a salt (random characters) in your password. i.e. instead of storing md5(password), store md5(password + salt), or even better md5(salt + md5(password)).
Since even with rainbow tables, it is going to be near impossible to store all possible salted hashes.
BTW, obviously you have to store your salt with your hash so that you can authenticate the user.
Late to the party but I was also aware of Rainbow Tables being a method of attack on hashed/unsalted passwords. However on Twitter recently http://codahale.com/how-to-safely-store-a-password/ was shared and depending on your needs and concerns.. you may not be able to salt your way to safe password storage.
I hope this is informative to you.
Wikipedia is your friend:
http://en.wikipedia.org/wiki/Rainbow_table
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I always thought an SQL compiler would break but apparently nesing can nearly be infinite. Is this code to be trashed immediately or is there some glimmer of hope that something like this can function?
This query doesn't really belong to me so I cannot post it... However let's just pretend it is this one:
[SELECT /*+ NOPARALLEL bypass_recursive_check */
SP_ALIAS_190,
((CASE SP_ALIAS_191
WHEN 1
THEN 'PROVIDER::ALL_PROV::'
WHEN 0]
Clearly, you've never seen the SQL that comes out of the Sharepoint DAL.
If the query is generated by a tool (or by code), then it may be relatively simple to maintain (in the sense that the query generation code may in fact be well written and maintainable)
I ran into a problem similar to this recently and I came to a decision by considering a couple of things:
How long is this going to take to maintain vs. rewrite?
How critical is this? There may be a lot of logic that may be difficult to unravel and the value in the fact that "it works" exceeds the value from an immediate rewrite.
And of course, there was the political decision management had to make concerning risking explaining why something that was recently created would have to be rewritten.
In the end (for me), find + replace was my friend.
Refactor it using the WITH statement.
Add lots and lots and lots of comments.
If you break it into pieces that can be managed, you stand a much better chance.
If it contains allot of nesting I would say no.
Like any code no matter what language, you should only look at re-writting it because you can make it more efficient or easier to understand.
Based on my experiance I have been able to reduce badly written SQL 4 to 5 times its size and many times its performance because the origonal auther really had no idea.
If you think that's bad, you should see Industrial Logic's sample video on code smells: Technical Debt. Definitely not autogenerated.
Is it possible to maintain a 43 page function, say, in C#? The answer is obvious ;). I just cannot imagine this. If I were you I would break it into smaller parts.
Two things:
Will only machines ever need to read this SQL?
Are you stuck with the underlying schema?
If you have a 43 page query and you answered yes to the first two questions, welcome to SharePoint development