Not necessarily. You could store $10 \choose 5 = 252$ hashes for each user.
We did something similar for call center caller authentication (you don't want the operator to get the whole PIN of the user, so he asked only for e.g. two characters). Not that this would be very useful, security-wise.
> Not necessarily. You could store $10 \choose 5 = 252$ hashes for each user.
Wouldn't this be way easier to crack if the password hashes were leaked? Once you crack one 5-letter hash, you can trivially crack the one that shares 4 characters with it, and do that repeatedly until you have all 10 characters.
You're reducing the effective search space not by a factor of 252 (8 bits of entropy, which would often be acceptable) but to its square root, losing half of the entropy.
Although it seems like security theatre, the PIN solution actually sounds more useful. The typical attack on a system protected by PINs, like bank cards, is not cracking hashes offline - it's that the attacker tries the PINs on the live system and gets locked out after a small number of failures. Assuming the bad actor can't just initiate another call and ask for the other two digits.
Oh, sure, the authentication itself is fairly usable for the given usecase, the hashing is security theater. I advocated not hashing those PINs, but you know, standards, auditors, etc. "Passwords must be hashed", security theater or not.
I've never claimed it was a "one stop", but it certainly keeps the random internet users to a minimum.
And yes, using GHE or self hosted GitLab doesn't make up for storing secrets, but it at least keeps them out of the public eye so the effects are less brutal. Its still bad to store secrets in a code repository.
My whole point is that you can reduce risks easily, yet some people don't for some reason.
He's right about the scummy advertising, but I think he goes a little too hard-core contrarian in the end by basically suggesting the only reason to have a VPN is for airport/starbucks wifi.
This doesn't seem very agile. Without developer input into the sprint planning meeting this is going to lead to 3 hard weeks where overtime is highly likely because the team didn't have any say on what work was done and 1 week off to recover.
Whilst this may help with burnout so do the main implementations of agile when done correctly.
Agile done properly is all about quickly getting feedback on the speed of work so the business can correctly plan in accordance to this.
They allow ads targetted towards people with antivax and other conspiracy beliefs. I think they're looking to change this but they definitely aren't innocent in this.
Then the parents will just home school and the kids will grow up with the same views and not learn critical thinking. Better to keep them in the system I think.
Although anecdotal, I studied in the public system and I would say that most of my classmates did not really learn critical thinking, neither from school or a different source.
I guess it depends on the education system in question, as some of them, like mine, are more focused on memorizing facts instead of questioning them.
