Internet Security II: Slowing Things Down

"You will not be punished for your anger; you will be punished by your anger." -- Buddhist proverb




Here's an interesting geeky snippet you probably don't know. The substantial part of progress in computing technology over the last handful of decades has been about making computers, and computational processes, faster and more efficient. However, there is one very important area of computing technology where significant improvements have been made in deliberately making things slower and less efficient (and no it's not Windows startup time - that's just a coincidence). Making the process more "computationally expensive" as us geeks like to say, just so that you think we're clever and will hopefully pay us more money.
By now some of my geek friends will already know what I'm talking about, because this actually is a rarity. Normally when we make things slower it's by mistake, there really are very few things we *try* to make slower. What I'm talking about is a facet of computer security to do with the processing of passwords.
Basic web security says that you never (ever) store user passwords. If you store a user password, however carefully, there's a chance it can be found. If you don't store the password it can't. Standard practise, which reduces rather than eliminates risk, is instead to store a "one way hash" (actually a salted one way hash, maybe another day I'll explain salting). A hash of a password is effectively a very, very large number, and everything in computers is a number when it comes down to it, that represents the password. Given a password typed in by the user you can put it through the algorithm that turns it into a hash and compare it with the stored hash. If they match then the user has supplied the right password and if it doesn't they haven't, and yes this means there is an infinitesimally small chance that by coincidence someone could supply a wrong password that happens to hash the same way - this is a tiny but literally calculated risk. This way you can still check if the user has given you the right password without having to actually store their password. It's called a one way hash because you can go from a password to a hash easily but not easily back from a hash to a password. Genius, right?
Except modern computers are astonishingly fast, and what's more nowadays you can trivially easily (honestly) use cloud computing to perform similar calculations on hundreds of computers simultaneously. So even with hashing in place it's possible to just try every possible password until you eventually find the right one. This is called a "brute force" attack. (There are a whole class of computing problems where "brute force" is the only known way of finding the best solution, these are called "NP hard" problems and they include the knapsack problem and the travelling salesman problem, which are problems delivery drivers have to solve every working day. Delivery drivers solve these problems a similar way to how programmers solve NP hard problems that they can't actually use brute force on because it's too slow; take a best guess and get on with it.)
The solution to the problem of cracking passwords by force, or at least the best amelioration to date, is to use a hashing algorithm that is really expensive. i.e. to make the process of checking if a password is correct "computationally expensive", very slow and requiring a lot of memory. So a brute force attack, whilst still theoretically possible becomes effectively impossible in practise. There you go, slowing things down for the good of all humanity.

For the true geeks amongst you, up until recently the recommended slow hashing algorithm was one called "PBKDF2". The latest hotness, I believe, is called "Argon2". Slow hashing is a rapidly changing field.

The looming scary monster on the horizon is not the ordinary progress of computing technology we've seen so far, you'd still probably have to have a million computers churning away until the heat death of the universe to crack some of our codes. The scary thing is the maybe-real-maybe-not-who-knows quantum computing which is gradually emerging. This takes a completely different approach to solving this kind of problem, and if we ever get it right. Well, that's a whole different kettle of ball games. The bottom line is that no-one knows what scary terrors await us on the other side of the future, and the only sensible thing to do in the meantime is make sure you enjoy today and cuddle the people you love. A lot.


You may also be interested in the following programming related articles:

"There's an Islamic teaching that one of the prayers that is never refused or not granted is one for true guidance and truth. It is, after all, the only key to open the door. Just ask.

Popular posts from this blog

Commentary on Brexit and Thoughts on Patriotism

Image
I don't seem to meet many ordinary people. Most people seem extraordinary. As much as I am opposed to Brexit it seems curious to me the delight with which some people I follow on Facebook seem to take in news that the negotiations are apparently difficult and that it could be bad for Britain. They seem to relish the damage as they'd rather be right than see something good come out of it. It is a rather foolish state of mind to wish harm upon yourself and your fellows merely in order to be proven right. I detest much of the harm and lack of compassion I see in the Tory government, whilst accepting that those who vote conservative see the world in a very different way to me and that I am not wholly right and nor are they. I want the best for the UK and I want the best for Europe and I sincerely hope we can find our way forward together no matter who is in government in the UK. This is why party politics is so pernicious. It cons you into supporting a side instead of suppo
Read more

The Jesus Army and the Independent Inquiry into Childhood Sexual Abuse

Image
 IICSA Inquiry - Child Protection in Religious Organisations and Settings  The Truth Project for Victims of Religious Abuse The exclusively male authority of the Jesus Army, delegated from the cruel and unusual senior pastor Noel Stanton, was full of darkness and deceit and nothing of God. It was a personality cult with Noel as an absolute ruler who delighted in crushing people.  Those in the cult who took on a sacred duty to care, and swore a covenant to it, have to answer for the shameful way they treated so many. The leaders who were in charge; it happened on their watch, they let it happen and made it happen. Oath breakers and traitors. To betray love is its own reward. There is a price to be paid in the heart. Deuteronomy 1:35  None of this evil generation will see the good land I promised your ancestors. The JA called itself the "Joshua generation", the J Generation. They didn't read the story right. Only two from that generation believed God and entered the promise
Read more

George William Curry and Pathfinder Squadron 627

Image
You can read more of my story in: My Autohagiography: Fragments of a Once Broken Mind A 627 Squadron Mosquito I went to visit my Dad today and spent about an hour talking to him before he got too tired. He's dying of cancer but as always he was in a cheerful mood. He told me a bit more of the story about his Dad who he never knew. His Mum hardly ever talked about him so what he knows comes from some of Granny's papers and my Dad's investigation after she died. He found a whole new branch of his family including Aunts and cousins and a Great Aunt Olive. Before joining the RAF George William Curry worked for an insurance company called UKAPIAN. The only remnant of UKAPIAN now is one page on the website of Axa who ended up buying them, but they started life as a motor insurance company run by a temperance society. Teetotalers are good customers for a motor insurance company but there wasn't enough of them and UKAPIAN had to branch out. At any rate my Dad has George's b
Read more