Friday, December 14, 2007

When you're serving static files...

Never link http://yoursite.com/foo/bar/x to:

A) plain http://static.yoursite.com/foo_bar_x.ext

B) Never use plain hashes of the ID. e.g. .../hash_of_id_here.ext

C) Borderline, but even static salts are bad: .../hash_of_id_plus_'foobar'_here.ext

Basic is, use a variable salt for every item. It can ever be public info, like the title, creation time, or anything that varies sufficiently per-item. That's the beauty of salts.

Or, alternatively, as better people than I have mentioned, use bcrypt with a set difficulty value, and all your rainbow table type fears go away.