By retrieving three you can perform an if on one value; if that fails check the other two values. This allows you to save the other two calls for most logins.

You're now doing up to 3x the work for every login. When servicing millions of requests a second, that cost adds up.

Passwords are only verified on login. Does it seems reasonable that there are millions of logins to Gmail from mobile devices every second?

Back of the envelope: 2 million logins per second would mean about 170 billion logins per day. With 7 billion people on the planet, that'd mean about 25 logins per day from each man, woman and child.

“Up to 3x the work” is very misleading, since the average will be much less than 3.

I would imagine it's sequential: check exact match hash, if it fails check uppercase-initial-hash, etc.

Instead of just telling the parent that they're doing something can wrong in a condescending way, can you explain what it is they should do differently? At least a link to an article that explains this?

good lord, why would you ever expect psuedo code to be my level of understanding of how to store a password. i don't ever store passwords. hashes only.

Because the pseudo code looks quite bad? The clause should pick the user not the password or hash or anything like it. The hash (and possibly salt etc) should come back via the selected column list. The other way round is inviting trouble and could indicate a poor understanding, though I agree they shouldn't be so snarky without some explanation.

Unless it has been edited since i saw it, the pseudo sql doesn’t select anything, a logical assumption is user identity and not needed. The comparison is between the original hashed password and the hashes made at auth-time. The name of the original is “pass” but since it wouldn’t make sense to compare a plaintext string to a hash another logical assumption is that “pass” is a hash.

Maybe these generous assumptions about someone’s pseudo code are unwarranted?

Jeebus, it's just meant to show that you could do a select in one go without having to do them one at a time cascading to the next one if no match. I don't know what you need to select, that's up to the reader. That's the point of psuedo code. You saw select and made the connection to "it's a database query". Boom. point made. Again, I understand the concept of user provided pass and a hash with a salt. If you can't really put 2+2 together to see that you're taking the 3 different options then I'm sorry for you.

Look, whatever it’s meant to show, it also looks like a security nightmare that implies a lack of understanding. Are we supposed to ignore that because it’s pseudo code? Clearly some of us think not.

It’s not the select that’s the problem, it’s the clause, so your explanation also seems to imply that misunderstanding on your part is real.

> it's just meant to show that you could do a select in one go without having to do them one at a time

Which means you are performing 3 hashes, two of which are likely unnecessary and sending all of them to sql for evaluation.

What's more costly, sending 3 separate queries or calculating 3 hashes? I honestly don't know.

You have to calculate at least one hash and you only have to perform one query (as it can grab multiple hashes at once), and that query should not choose what to return based on the content of the hash(es).

Pseudo code is supposed to strip away details that might distract from fundamentals, yet your pseudo code and subsequent replies suggest that your understanding is contrary to the actual fundamentals of checking a password securely. Start with limiting the set by choosing by user, never by hash.

Jeremy Evans goes over many of the fundamentals[1], including why restriction of the selection is important, and why restriction of access to hashes (i.e. not sending them from the initial machine) are important. In his own framework (Rodauth) he doesn’t even allow selects of the hashes to be returned to app, let alone used as part of the where clause. Note the clause in each of the functions he defines (12:53 and 14:05).

[1] https://www.youtube.com/watch?v=z3HZZHXXo3I

> The comparison is between the original hashed password and the hashes made at auth-time.

Didn't I write that this shouldn't be done via the clause? I haven't edited my comment either so it should still be there and I see it is.

> the pseudo sql doesn’t select anything

It should select the hash(es) and bring them back to the app for comparison.

> The name of the original is “pass” but since it wouldn’t make sense to compare a plaintext string to a hash another logical assumption is that “pass” is a hash.

It doesn't matter whether it's a password or a hash, the form of the SQL statement is going to cause trouble and should be the other way round.

> Maybe these generous assumptions about someone’s pseudo code are unwarranted?

Perhaps you meant to reply to someone else?

> It should select the hash(es) and bring them back to the app for comparison.

Agreed 100%. Calculating three hashes and sending them to sql for comparison—maybe index lookup—seems backward to me.

You're really grilling someone for not fetching salts in psuedocode?

It's not about fetching salts, it's about the whole approach; you literally can't approach it that manner.

I guess they had faith that readers would be experienced enough to connect the dots.

Given the forum I too would have believed that to a reasonable assumption, but this thread shows it may not have been.