There’s a model that id used for open sourcing their engines. The source code is open, but the assets (textures, models, sounds, etc.) are still copyrighted and you still have to buy the game to get them legally. This means the company still sells copies on Steam or wherever, and games that replace all the assets can still sell them without any licensing costs, too.

I’m a little surprised this model never caught on. Even id only ever published the engine to the previous game–Quake 3 was open sourced a little after Doom 3 was released–and the practice seems to have stopped when John Carmack left.

Possibly because nobody has tested it in court, or some other subtle legal issue?

A password only 8 chars long can still be brute forced, salt or not.

Without salt, the attacker would make a guess, run the hash on the password, and compare it to the stored version.

With salt, the attacker would make a guess, combine it with the salt, and then run the hash and compare like before.

What salt does is prevent a shortcut. The attacker has a big list of passwords and their associated hash values. They grab the hash out of the leaked database, compare it to the list, and match it to the original plaintext. When the hashes have a salt, they would need to generate the list for every possible salt value. For a sufficiently long salt that’s unique to each password entry, that list would be infeasible to generate, and infeasible to store even if you could.

If your passwords were long and random enough, then it’s also infeasible to generate that list to cover everything. It really only works against dictionary words and variations (like “P4ssw0rD”).

Bcrypt and scrypt both have a byte limit of 72. That’s still enough for a secure passphrase, though some schemes might blow past it.

It’s usually part of the string stored to the DB.

Edit: you can see the PHC spec here:

https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md

Which is a common format for various password storage algorithms, including Argon2. It has a salt field.

That’s not how salt works. It will be stolen alongside the password hash, because salt is necessarily in plaintext. It doesn’t increase the guessability of passwords. It just makes it infeasible to precompute your guesses.

Those are salted, they just do it for you.

Sorta. I find it doesn’t always pop up Bitwarden to select an autofill. Then I unlock it manually, and sometimes it then gives me the button for autofill. Sometimes not and I have to manually copy and paste.

And sometimes there’s a broken ass app that blocks you pasting passwords. People need to be fired for this.

Same thing happened to me on Last Pass, so I’m pretty sure it’s an Android issue.

Not how it works.

First of all, there’s far too many companies out there still storing passwords in plaintext.

Second of all, even with a good hash algorithm, hacking a specific person’s password out of a leaked database is still feasible when your passwords are variants of a few dictionary words with a few numbers and symbols attached.

Creating fully randomized, unique passwords in a password manager really is the best way. Even an older hash method of storage on the web site’s part will likely protect it.

It’s even broader. An EU citizen living anywhere accessing any site they happen to live can report that site. It may be that the EU won’t be able to collect the fine–assuming the owners never travel to the EU–but they can be fined.

It’s more than that. The EU law lets any EU citizen report a company that’s not in compliance. That includes companies not strictly in the EU. It’s why even US companies tend to be in compliance (or something like compliance).

Sneaky fuckers thought I forgot about the third amendment.

Yeah, that’s kinda what my GP post was getting at. But it’s all managed by corporations, not individuals.

Setting up a web of trust could cut out almost all spam. Of course, getting most people to manage their trust in a network is difficult, to say the least. The only other solution has been walled gardens like Facebook or Discord, and I don’t have to tell anyone around here about the problems with those.

Not really, I just have trust issues with my ISP, and I’m willing to spend three bucks a month to work around them.

I’m hoping my makerspace will be able to do something like that in the future. We’d need funding for a much bigger internet connection, at least three full time systems people paid market wages and benefits (three because they deserve to go on vacation while we maintain a reasonable level of reliability), and also space for a couple of server racks. Equipment itself is pretty cheap–tons of used servers on eBay are out there–but monthly costs are not.

It’s a lot, but I think we could pull it off a few years from now if we can find the right funding sources. Hopefully can be self-funding in the long run with reasonable monthly fees.

IIRC, it’s nearly impossible to self-host email anymore, unless you have a long established domain already. Gmail will tend to mark you as spam if you’re sending from a new domain. Since they dominate email, you’re stuck with their rules. The only way to get on the good boy list is to host on Google Workspace or another established service like Protonmail.

That’s on top of the fact that correctly configuring an email server has always been a PITA. More so if you want to avoid being a spam gateway.

We need something better than email.

I agree, and I think there’s some reliability arguments for certain services, too.

I’ve been using self-hosted Bitwarden. That’s something I really want to be reliable anywhere I happen to be. I don’t want to rely on my home Internet connection always being up and dyn DNS always matching. An AWS instance or something like that which can handle Bitwarden would be around $20/month (it’s kinda heavy on RAM). Bitwarden’s own hosting is only $3.33/month for a family plan.

Yes, Bitwarden can work with its local cache only, but I don’t like not being able to sync everything. It’s potentially too important to leave to a residential-level Internet connection.

It’s in more stuff than you think. High density polystyrene is what a good chunk of disposable plastic spoons/forks/knives is made of.

I sometimes wonder if you could make a name for yourself by being the Johnny Appleseed of FOSS. Go around to many projects and fixing a longstanding open ticket on each.

You’ll have tons of github repos and stars, if nothing else.

By design, yes.