##CSRF
CSRF
Interesting fact: If I can get somebody to navigate to a webpage I control, then I can use their browser to mass-create users. I think they might be able to brute-force logins, but I'm not sure how to detect a successful login.
##Salting
Salting
These days, site-specific salts are pretty much pointless. If somebody attacks the hashes for your site, it will be with a GPU, not a rainbow table. On the other hand, user specific salts still very much have a point - it means that if somebody wants to attack your passwords, they have to do it one account at a time.
I can't tell if you use random per-user salts or not, because I don't see any code for producing that salt in the first place.
##CSRF
Interesting fact: If I can get somebody to navigate to a webpage I control, then I can use their browser to mass-create users. I think they might be able to brute-force logins, but I'm not sure how to detect a successful login.
##Salting
These days, site-specific salts are pretty much pointless. If somebody attacks the hashes for your site, it will be with a GPU, not a rainbow table. On the other hand, user specific salts still very much have a point - it means that if somebody wants to attack your passwords, they have to do it one account at a time.
I can't tell if you use random per-user salts or not, because I don't see any code for producing that salt in the first place.
CSRF
Interesting fact: If I can get somebody to navigate to a webpage I control, then I can use their browser to mass-create users. I think they might be able to brute-force logins, but I'm not sure how to detect a successful login.
Salting
These days, site-specific salts are pretty much pointless. If somebody attacks the hashes for your site, it will be with a GPU, not a rainbow table. On the other hand, user specific salts still very much have a point - it means that if somebody wants to attack your passwords, they have to do it one account at a time.
I can't tell if you use random per-user salts or not, because I don't see any code for producing that salt in the first place.
##CSRF
Interesting fact: If I can get somebody to navigate to a webpage I control, then I can use their browser to mass-create users. I think they might be able to brute-force logins, but I'm not sure how to detect a successful login though.
placeholder##Salting
These days, site-specific salts are pretty much pointless. If somebody attacks the hashes for your site, it will be with a GPU, not a rainbow table. On the other hand, user specific salts still very much have a point - it means that if somebody wants to attack your passwords, they have to do it one account at a time.
I can't tell if you use random per-user salts or not, because I don't see any code for producing that salt in the first place.
##CSRF
Interesting fact: If I can get somebody to navigate to a webpage I control, then I can use their browser to mass-create users. I think they might be able to brute-force logins, but I'm not sure how to detect a successful login though.
placeholder
##CSRF
Interesting fact: If I can get somebody to navigate to a webpage I control, then I can use their browser to mass-create users. I think they might be able to brute-force logins, but I'm not sure how to detect a successful login.
##Salting
These days, site-specific salts are pretty much pointless. If somebody attacks the hashes for your site, it will be with a GPU, not a rainbow table. On the other hand, user specific salts still very much have a point - it means that if somebody wants to attack your passwords, they have to do it one account at a time.
I can't tell if you use random per-user salts or not, because I don't see any code for producing that salt in the first place.
##CSRF
Interesting fact: If I can get somebody to navigate to a webpage I control, then I can use their browser to mass-create users. I think they might be able to brute-force logins, but I'm not sure how to detect a successful login though.
placeholder