u right

I'm always doing that with my networking code, but I still don't understanding signing. So I simply require the client to give a shared password to the server to confirm its identity. If password is wrong for whatever reason or isn't provided in time, the thread simply raises an error and the client is kicked out from accessing the server in any way.

Came here to say this. It's just used for the handshake.

@@FinlayDaG33k so that means TLS uses asymmetric encryption, right?

@@gravy1770 asymmetric to establish the shared secret before swapping to symmetric.

This makes me happy, even if my original comment on the matter got deleted lol

and he has used it for the hacking challenge, very clever..no one thought that you'll use md5 again after correcting the past video mistake 😂😂

Whoops

I was thinking "dude... MD5 was unsafe when I was in senior high 15 years ago..." 🤣 Good thing he owned up to his mistake 👍

@@yassin_eldeebHe did that to give the proof that md5 is outdated

😂😂😂 Good question 😂😂😂

Hahaha

loool 🤣🤣

It's probably the lifetime account password, if you crack it is yours

😂😂😂 I did not see it that way at first but you make a lot of sense

This comment need to be pinned

PX ODLT HXDABNUO 9 Let's see if you guys can decrypt this message.

​@@eliasziad7864 rickroll would have been funnier

@@shokifrend77 First tell me what the message said?

Can't get more accurate ♥️

Garbage in... Garbage out

Definitely, only randomly generated or diceware are acceptable

yep

thats why 8 charcter is a standard

I started using password manager and updated most passwords to unrememberable computer generated ones.

I think he's married

@Daniel Vilela, 😂

@@ayushverma5151 wife then it is

Good point, "unique as possible" would have been a better phrasing.

Its unique for all practical purposes for the modern cyphers uses today. Afaik for SHA256 no one has ever been able to find a collision. That being said you are correct in that any hash by definition cannot be injective.

@@yakov9ify Yes , by definition hash functions have low probability of collision. And like you said they are surjective functions

Well yes, that is what is called collision. But the idea of a hash is also that collision is hard to find (with a systematical method other than sheer brute force). Different input can be mapped to the same output. However, even the slightest change in the input (say, a bit flip) will change the output significantly. This, makes finding two input with the same output quite hard.

There's also the matter of that text converted to bytes which is then hashed, it's unlikely if there is a collision that the input can actually be created from the bytes from text, so there's some accidental security there. However random bytes which are hashed lack this "feature". If there is a collision with text inputs it's also likely that the password used is weaker than the other input that returns the same hash, so there's no downside.

loved every minute,

Every fireship's videos are perfect haha

Hi how's the journey so far? Where can I get the 10 hrs lesson?

@@cybermoneyxchange3230 at uni

@@berb_yt This is what I'm experiencing right now :>

They teach most things so slow that it becomes impossible to understand

I always hate these comments tbh. It's just not possible a general, brief overview to give you more than 10hrs of uni classes. Idk if you were sleeping or drunk in class, but even though this video is great, it's simply not able to cover that much info in 12min. Hope you've learned how to pay attention.

You maniac

If he did a risc based architecture like ARM it might be doable

Assembly in 100 hours

Talking about assembly in a whole I mean all architectures including x86 and risc

that would be fun tbh

i’ve noticed this in my api. I use 512kb of memory to hash and store user passwords but 128kb for api keys. it takes the server about 1.5 seconds to hash using 512kb which isn’t unreasonably slow but compared to sha256 or bcrypt, it’s like a snail. verifying api keys on each request with just a hash is also somewhat computationally intensive so that’s why i dropped the api key memory to 128kb. somewhat decent security balanced with speed. besides, i’d rather have my limited permission based api key brute forced than my password

use salt & pepper

I hope you didn't do this in production dawg 😯

I second that!

For school or just knowing the basic, that ok, but you should not implementing your own authentication system in a real product

Also it's often implemented poorly when it comes to the generation of the required primes which leads to many public keys sharing prime-compartments

@@tobiasaddicks9695 exactly, but id say is a good video for beginners

Ohh never heard about this. I'm still use RSA 1024bit keys. Not that anyone would care to hack me so I'll just keep using it for now.

(Sorry for necroposting) I didn't want to go into details in my comment above, but there are multiple reasons why RSA isn't great nowadays. To make a short list: 1. You need quadratically increasing key size instead of linear increasing key size to get the same amount of security bits because of the reliance on prime numbers (AKA keys can get really big really fast and this will only get worse). 2. Key generation include a "brute-force" step, which makes key generate really slow. This is especially problematic for key exchanges, as this is a pattern seen in the wild. Apart from that, pretty much every operations is slower with RSA then with Elliptic Curves. 3. The way key generation work, your whole security model relies on the fact that your key is "probably" prime... 4. RSA design makes it a good target for timing attacks, depending on the implementation (this is also a reason why AES is slowly getting phased out in favor of chacha20) 5. RSA is badly broken with quantum computers because of Shor's algorithm. The danger with quantum computers isn't that they're so fast they could bruteforce any cryptographic primitives that classic computer can compute, it's more that quantum computers gets access to new quantum algorithms that can solve some previously "unsolvable" mathematical problem with way more ease then classical computers, so not all primitives are affected the same way.

Quantum computers that can run Shor’s algorithm are vapourware, and destined to remain that way indefinitely.

what are the different use cases for a hash vs hmac?

@@kylector The use case for regular hash functions is to provide data integrity. If even one bit changes in the data, then when you run it through the hash, it would be very obvious the data was altered. The use case for hmac is to provide data integrity but also to provide authentication; AKA verifying the data was sent from the right person. This is because only the person with the correct password can produce the hash of the message they sent you.

If a hacker just splits the hash like he did in the code. Isnt that the same as having no salt at all?

@@flodderr yep seems like it.

Joining them with “:” it’s like hinting it a la captain obvious 5:44

Check out his second channel 'Jeff Delaney' he provides some good insight over there!

Sa.e

How did you solve it?

@@soumyajitdey5720 check the hash type and then use a well known weakness for those hash. It is quite trivial and it shows the point of salting. Spoiler warning!!! . . . . . . . . . . . It is MD5 without a salt and then you just use a lookup table.

@@YandiBanyu great! Was thinking along the same lines but you were quicker 😂 Good job! 👏

@@soumyajitdey5720 I didn't get the challenge either lol. Watched the vid 6 minute after release and the challenge were already solved.

Pretty sure if he had put “Let’s go Brandon” there would’ve been some response

The salt is appended, but then gets mixed together with the password during the hash, so in the final result hash it's all jumbled together. There's no easy way to split it out.

@@chrissdehaan yea but then he appends the salt to the hashed password and pushes that to the DB. So a hacker has the salt anyway if he sees a colon in the value

@@flodderr It's not quite in that order. It doesn't go: 1) Hash 2) Append salt It does go: 1) Append salt 2) Hash The salt is appended to the password first, then that whole string is hashed next. That means the salt mixed around through the whole result, and can't be seen or split out easily.

@@chrissdehaan I understand what you're saying but look at his code again. On the 2nd line of the signup function he does exactly what you say. But then on line 4 of that function he makes a user variable to push to the DB that exists of again the salt + the hash of salt with password. Im confused why he does it like that

Sure it is oblivious. But to generate the resulting hash, you need to add the salt. This means that a password if hashed (say "abc") will be the result of "abc"+salt. Now if each user has unique salt, it means lookup table attack is pointless and the hacker need to attack each hash independently.

@@YandiBanyu and i believed all the time, we should not save Salt in the DB. Just have it in the Application Ram. So if the Database lost. the Salt is independent..

@@mikelinsi Well, the problem with that is, if you have an upgrade to your application, those salt are lost. Remember, to check the password you need the salt and then hash them then compare the result. Without salt, you cannot check the user anymore. Also, you should use different salt for each user.

It was used as an example. One should use fixed size salts for the reason you showed.

It's just a technical detail. If the salt and password lengths are constant, a separator wouldn't be needed. Or they could even be stored in different columns. Doesn't really matter. Also, if using a single field that combines the salt and the hash, trying to depending on an attacker not knowing where in the field the divide is would be a type of security-by-obscurity, which doesn't work anyway, so you might as well put the separator there, for your own convenience.

Yes. For example, I saw a PHP password algorithm using MD5, which sounds bad. But it iterates the hash 8000 times, which is good. Not suitable for cryptographic message hashes, but good for password hashes.

What are u talking about? Xd

Haha thermorectal, all your secrets belong to us 😂

Jeff is a friend of Zucc so he has all of our data and runs a simulation of all of our brains in virtual machines and can thus determine exactly what video everyone wants at any given time.

@Kelvin Well, you are saying the fact. I invested $4,000 with Mrs Annabelle Hartfield , and earned $12,000 in 7 working days.

In Bitcoin investment, determination to take risk is one of the major factor required because it takes a brave heart to make money this days.

Being a newbie in Bitcoin investment and trading is very discouraging but since I met Mrs Annabelle Hartfield , she has really been careful in handling my investment.

Many people are afraid to be invest because of the Scammers in the business

Yes there are scammers in the business just like it's in every other business but there are also legit brokers out there for investors and Mrs Annabelle Hartfield is one of the real and legit brokers out there.

The main point of a salt is to prevent rainbow table That is, because a hashing algorithm will always give the same output for the same input, hacker can just store the before hand. For example: if password "12345" will always be "aRwhY" then a hacker can store this into a database, kinda "oh, using this algorithm, password 12345 will become aRwhY, so everytime i see aRwhY, it must be 12345, no need to decrypt it" However, with salt, every time you type in 12345 as your password, you get a very different hash, so even if a hacker know both the hash and the salt, they cannot guess what the original password is

I would not rush him with Rust videos, considering that the last one was a catastrophic blunder of misinformation. For Node/JS, no-one comes close to his content.

I think you might not be aware of Phil Opp's OS tutorial in Rust. It's a series of articles.

Maybe search first next time? kzbin.info/www/bejne/h2ikgKmNpa6Jfrc

Stocks are good but crypto is more profitable

I'm new to forex trade and I have been making huge losses but recently see a lot of people earning from it.can someone please tell me what I'm doing wrong

@@evelynhannah3147 All you need now is a professional broker else you gonna continue blowing of your account

Mr Dennis services is working for me at the moment and am making good profits from forex and crypto trading.

@@jeremysanchez5545 Same here, it’s four months now I started investing with him and it's been good experience

I'm so happy ☺️ my life is totally changed. I've been earning $10,250 returns from my $4,000 Investment every 13 days

Same here, I made $12,400 profits on investing since I started trading with Mr Grey Smith his trading strategies are too notch am winning consistently trading with Mr Grey Smith . He really the best broker I've made a lot of profit investing with him.

I heard a lot of investing with Mr Grey Smith and how good he is, please how safe are the profit?

@@christophercox6452 I trade with him, The profit are secured and over a 100% return on investment directly sent to your wallet.

After watching so many KZbin tutorial videos about trading I was still making losses untill Mr Grey Smith started managing my investment now, I make $6,800 weekly. God bless Mr Grey Smith . His been a blessing to my family.

Most intelligent words I've heard.

I got Mrs Tracy Britt Cool info, how good is she ?

@Mickey Paul Thanks i did a NetSearch on her out of curiosity and my findings on her surpass my expectations. I've drop words on her reachout