Correct but you also dont want an encrypted password. You want a hashed password.
this is true, and the name bcrypt can be misleading to non experts. i don’t blame them for getting this wrong in a pr statement 🤷♀️
Encrypted is also the word to make people feel safer.
bcrypt... with how many iterations? seems like an important detail
I don’t think I’d make that information public were I in their shoes. Wouldn’t that be a hint for anyone attempting to crack them?
no, it’s (usually) stored as a part of the hash
This is actually an optional thing, by default it will but it can be configured to be stripped, generally not a recommended thing though because it means that whenever you want to change the iteration count or the you need to force a password reset on every existing user
Pretty good disclosure text. There are much bigger companies that don't manage to be this clear.
The only nitpick I have is saying "encypted" with bcrypt, even though they clearly know that bcrypt only hashes things.
I'm willing to give him a pass on that one since they're probably worried that their General audience will understand the word encrypted but not understand the word hashed
obligatory bcrypt is not encryption
Correct but you also dont want an encrypted password. You want a hashed password.
this is true, and the name bcrypt can be misleading to non experts. i don’t blame them for getting this wrong in a pr statement 🤷♀️
Encrypted is also the word to make people feel safer.
bcrypt... with how many iterations? seems like an important detail
I don’t think I’d make that information public were I in their shoes. Wouldn’t that be a hint for anyone attempting to crack them?
no, it’s (usually) stored as a part of the hash
This is actually an optional thing, by default it will but it can be configured to be stripped, generally not a recommended thing though because it means that whenever you want to change the iteration count or the you need to force a password reset on every existing user
Pretty good disclosure text. There are much bigger companies that don't manage to be this clear.
The only nitpick I have is saying "encypted" with bcrypt, even though they clearly know that bcrypt only hashes things.
I'm willing to give him a pass on that one since they're probably worried that their General audience will understand the word encrypted but not understand the word hashed
What the hell is Club Penguin?
Habbo hotel for the little, little ones I think?
But didn't club penguin close doors ?
So what password hashing mechanism upgrades they implemented?