For those wondering MD5 by itself is a terrible hash for passwords. It’s really fast and without salting you can build rainbow tables against it with reasonable speed.

If the passwords were salted it still means that a determined adversary can find your password relatively quickly.

Other better hash functions for passwords include things like bcrypt. Though I do understand it is a pain to migrate users over since you can only do it when they login.

> Though I do understand it is a pain to migrate users over since you can only do it when they log in.

Had a thought on this, but I'm no security expert so if someone else could weigh in, that'd be awesome. Couldn't you just add a layer to the password hashing?

I.e., you start with MD5 because that's the best at the current point in history. Bcrypt comes around and you want to do a migration of all your users, so you take the stored MD5 hashes and run them through bcrpyt. Making sure, of course, that your login system does the same, MD5 followed by bcrypt. When the next-gen hashing algorithm comes around, you do the same, now the path is MD5->bcrypt->next-gen.

That way you're relying on the strongest algorithm "wrapping" the weaker one(s) without having to make everyone login again to generate the new hashes to be stored.

Curious to know if there are downsides to this (performance is an obvious one) or whether you're weakening the stronger hash by hashing a weaker one?

> Curious to know if there are downsides to this (performance is an obvious one) or whether you're weakening the stronger hash by hashing a weaker one?

You're weakening the stronger hash by hashing the weaker one. The two main problems of MD5 are entropy (128-bit maximum) and collisions (because of lack of entropy).

By always hashing to MD5, you are losing the entropy of the stronger hashing algorithm.

Confirms a suspicion I had that it might be an issue. I assume it's a problem whenever you hash a weaker with a stronger, not just MD5 in particular.

Thanks!

It does cap it at 128 bits, but it is not an issue. 128 bits of entropy is plenty.

This is what Facebook has done and it works.

How did we end up purifying the amount of U235 needed?

I saw on another page "General Leslie Groves consulted with lead scientists of the project and agreed to investigate simultaneously four separate methods of separating and purifying the uranium-235: gaseous diffusion, centrifuge, electromagnetic separation and liquid thermal diffusion."

Seems like a ton of work.

The reason you'd do this is because you are probably planning to return the same response for all the HTTP verbs.

Like if you wanted to return a empty hash {} for:

  GET /
  DELETE /
  PUT /
  PATCH /
  POST /

I guess just being lazy.

This is some seriously good marketing. Tesla is in a unique position to offer their car up as a prize and target. Other manufacturers could do this but because it is hard to update their firmware they don't do it.

Reading the discussion thread is fantastic. The postgres community culture definitely feels a lot different than some of the other open source projects I've seen.

What are you doing that I am not? Jira is slow as hell and updating statuses take forever.

Are you on an onprem version?

I’ve used two separate onprem versions, and they were slower than hosted if anything.

Yeah it's onprem

It's possible at some schools to have 89s through most of your classes which equals a B (3.0) and have a few Cs and thus have a 2.6 GPA.

What product is it?

Intent Architect[1].

Our main development focus right now is on usability for new comers and we're improving it regularly.

[1] http://intentarchitect.com/

Peanut butter and jelly reload.

Haha i didn't want to say it but you went there

Where exactly in the link does it say the army discourages lead testing?

Reuters says "Yet it also “discourages” this type of lead-paint inspection" at the link https://phc.amedd.army.mil/topics/workplacehealth/ih/Pages/L...

It doesn’t force remediation for lead paint, it indicates only deteriorating paint is addressed.