<aw->
worked fine when i first wrote it (2015) ahahahaaa
<aw->
still seems to build fine and all tests pass with pil21
<aw->
but the C lib hasn't been updated in just as long.. no idea if it's still secure
<aw->
it also compiles/tests fine with the "future" branch (2017)
<aw->
for what it's worth haha
<pablo_escoberg>
Thanks, but I found argon2id, which appears to be the standard these days. Won the competition the same year you wrote the bcrypt implementation :D
<pablo_escoberg>
I was just checking if there was anything standard builtin that you guys use, but `native` is fine for this kind of thing.
<aw->
yeah i wouldn't do it without native anyways
<aw->
tankf33der wrote a million encryption things in picolisp
<aw->
and the ones without native are awfully slow
<pablo_escoberg>
good to know!
<pablo_escoberg>
although in this case slowness is a virtue...
<aw->
pablo_escoberg: well, no.. you don't understand what i mean by slow
<pablo_escoberg>
Holy crap! That's a lot of cryptographic primitives!
<pablo_escoberg>
But yeah, I'll just use argon2id.
<aw->
you don't want the hash computing to be slowed by the code, but rather by the complexity. If you write in picolisp (without native) and it takes 1 minute to compute, and some hacker uses a C version and it takes 1 second, well you're screwed.
<aw->
conversely, why would you want to spend 1 minute computing a hash when you can do it in 1 second?
<aw->
so.. use native
<pablo_escoberg>
If they get access to the raw DB, yes. But as long as they are trying to brute force remotely, slowness is good.
<pablo_escoberg>
but yeah, I'll use native.
<aw->
and yes tankf33der is awesome, Mike has written lots of good code and shared it generously
<pablo_escoberg>
(y) (y) (y)
<aw->
pablo_escoberg: i'm not sure what you're trying to secure, but if you think remote access to a DB is your only weak point that needs to be secured, then you're going to have trouble down the road
<aw->
there's sooo many threat factors to think about, if you're trying to protect user passwords or other information, you HAVE to think of the possibility of someone gaining access to the raw DB
<pablo_escoberg>
of course. I will properly salt the passwords and make sure everything is hardened against physical access, etc. I was just pointing out that in this specific case, slowness isn't an issue.
<aw->
either through a backup or missing parens which allows someone to upload a script
<pablo_escoberg>
sure. The first thing I'm building probably won't require heavy security, but I don't want to get into any bad habits.
<aw->
hmmm
<aw->
many red flags so far, i wouldn't trust your software just based on what you've written in this public chat
<aw->
security must NEVER be an afterthought
<pablo_escoberg>
it isn't. I'm starting by making sure my passwords are securely hashed and I'm not even protecting anything valuable yet.
<aw->
but it's your project so doesn't matter until you release it
<pablo_escoberg>
My security attitude is always assume the data is a lot more valuable than it is.
<pablo_escoberg>
It may not meet your standards, but it's worked so far.
<aw->
¯\_(ツ)_/¯
<abu[7]>
ret
<abu[7]>
tankf33der: 'sandpile' looks OK, no?
<abu[7]>
: (symbols 'simul 'pico)
<abu[7]>
: (lint 'sandpile)
<abu[7]>
-> NIL
pablo_escoberg has quit [Quit: Client closed]
<tankf33der>
Ah, NIL is from lint, ok then
<abu[7]>
good
<abu[7]>
I think 'lintAll' should use its own version of getd
<abu[7]>
hmm, it is even simpler
<abu[7]>
I don't call fun? or getd in lintAll at all
<abu[7]>
Now lintAll also finds the above case
<abu[7]>
I released it
<tankf33der>
Thanks
<abu[7]>
Let's see how it "feels" ;)
<abu[7]>
'lint' is always very heuristical, bevause it cannot well know what is data and what is code
<tankf33der>
tested. seems all ok
<tankf33der>
afk.
<abu[7]>
Thanks!
seninha has joined #picolisp
seninha has quit [Quit: Leaving]
stultulo has joined #picolisp
f8l has quit [Ping timeout: 245 seconds]
chexum has quit [Ping timeout: 240 seconds]
chexum has joined #picolisp
stultulo has quit [Ping timeout: 250 seconds]
stultulo has joined #picolisp
seninha has joined #picolisp
seninha has quit [Remote host closed the connection]