codahale.com٭blog

My first Rails complaint: What, no authentication?

Okay, it’s time for my first gripe about Ruby.

There’s no built-in authentication system.

There’s built-in everything else, but when it comes to authentication, for some reason we’re left to the mercy of generators/plugins/engines/etc., all of which are written by people with very limited experience with cryptography.

MD5? SHA-1? Seriously? Are people still writing new applications using these algorithms? Are people still writing applications based on hash algorithms without building in any algorithm agility? Sweet mother of God, why?

I’m supposed to not only take seriously but also use the product of someone who spells it “cypher?” (Quick tip, kids: Cypher is the weasely guy from the Matrix moves. Cipher is the cryptographic thingy.) Oh Lord take me now.

The best I’ve found so far is Bruce Peren’s ModelSecurity, which is really, really ugly. Butt-ugly. So ugly you’d pronounce it “yoo-gly.”

For anyone listening, here are crucial points to consider when designing an authentication system.

1. Do not use MD5 or SHA-1. These are seriously flawed algorithms, so much so that it’s putting that entire family of algorithms in doubt. MD5 was considered broken last year, and SHA-1 looks just as bad. Bottom line?
   

   Don’t use SHA-1 for anything new, and start moving away from it as soon as possible. To SHA-256, probably.

   Don’t make Bruce Schneier come kick your ass.

2. Salts are best used on a per-entry basis. If you’re going to use a random salt to store a user’s password with (e.g. hash(salt + password)), you might as well go the extra five minutes and do it on a per-user basis, not a per-site basis. The whole point is to increase the computational cost of a rainbow table/offline bruce force attack, not fudge the hash function it uses a little bit.
3. Keep it simple, jackass. Don’t make it the all-singing, all-dancing spaz-mo-tronic wonderblunderbubblebuggy. Remember why you like Rails: it provides you with meaningful defaults. It doesn’t do everything for you.

I’m going to have to implement my own, aren’t I?

I know what I want for Christmas: a bastard big front brake

The commuter lifestyle’s been interesting. I don’t have a long commute–10 miles a day–but it’s still taking some getting used to. One thing’s for sure: I’m a hell of a lot stronger on the bike for spending an hour a day on it.

Spending so much time on a fixie is definitely interesting, and it’s brought to light some flaws which need fixing. To wit: a front brake in the rain isn’t enough. Back-pedaling is cute and all, and the girls get all moony when you skid around, but the difference between me with my middle finger raised and me ground under the wheels of some proto-yuppie’s oversized pickup truck is braking ability. It’s the rainy season now, and the ol’ front brake just don’t work too good after a few puddles.

So I spent some time thinking, and poking around on the internet, and getting used to being paid regularly, and I came to a conclusion: I want a fixie with a bastard big disc brake on the front. You heard me, kids. I want to take a purty, lugged, steel frame and slap an evil, car-inspired brake on it. Why? I like not careening. Because I don’t have a billion dollars to throw at the custom frame-making Zen monks, I’m probably going to try to find a nice, huge frame (I’m 6′4″, y’know, which means I look silly on other people’s bikes) and toss an aftermarket touring fork on. Zany hijinks ensue.

Expect pictures.

Speaking of expectations, my friend, co-worker, flatmate, and co-conspirator Peter and I have wonderful plans in store. It revolves around bikes and being happy. I’ve already said too much.