Quiz

  1. Can you explain what it means for bcrypt to be 'slow', and why it is a good thing for the algorithm we use to be slow?

    It does a fast hashing algorithm in a loop, many, many times. val = hash(val). We configure how many times.

    It's good for it to be slow, because the good guys only hash once, while the bad guys have to run it millions of times. So if we can force each run to be several seconds, then brute force doesn't work so well.

  2. Is the term hashing used two ways? One way referencing how we "hash" passwords to protect them and make them more secure, and the other way referring to a hacker "hashing" the password (i.e. trying to crack it)?

    Yes, but it's the same meaning.

  3. So, what exactly is hashing adding onto the inputted password? A hexadecimal? It’s unique, but randomized? How does the system compute the hash?

    It replaces the password. So instead of storing "secret2023" we store 6a3c93c34fbfdc6727c19eb6df7836da

    There are several commonly used algorithms. I used MD5 there.

  4. I'm a little confused by the second scenario in the concurrency section-why would one insert work but not the other? Also, why does the updated code solve the problem?

    The second insert doesn't work because username is a key, and so you can only have one row with that key. Fred and George can't both have that username.

    The updated code catches the error that is raised and informs the user

  5. How does last insert ID work if you don't know when other users might have been created in the meantime?

    The database keeps track of the last auto_increment value generated in that connection. So as long as the connection persists, it doesn't matter how many others have signed up concurrently.

  6. In the reading it says that you can store username in session but I didn’t see that in the login code. Is it possible to go over sessions?

    I think you overlooked this code: 

    
        session['username'] = username
        session['uid'] = row['uid']
        session['logged_in'] = True
        session['visits'] = 1

    I'll go over sessions as well, since they are closely tied to logins.

  7. To make sure, username and passwords should be stored in its own table?

    Not necessarily. Or you could put other things in that table. The unix login database has values for username, uid, gid, real name, home directory and shell.

  8. I think I'm a little bit confused as to how hashing works. How is it possible to have a one-way hash, that can't be reversed? Isn't it always possible that some very determined person or program could find a way to reverse the hashed value?

    No. There are operations that destroy information. For example, if we take the XOR of 1010 and 1100 to get 0110, it's not possible to look at 0110 and reverse it to get the two arguments. They might just as easily have been 0110 and 0000 or 1001 and 1111 or ....

    Here's the MD5 algorithm

  9. How does the computer tell \xe4\xbd\xa0, \xe5\xa5\xbd (two 3-byte symbols) from \xe4\xbd, \xa0\xe5, \xa5\xbd (three 2-byte symbols) in UTF-8 encoding?

    Great question. The representation is designed to avoid ambiguity like that.

    It's a prefix code, which means that when it reads \xe4\xbd it either knows that that is a valid 2-byte symbol or the prefix of a valid 3-byte symbol. Never both.

    Morse code, for example is not like that. Is .... an H or II?