
From idea to product in 7 days - weddpros
https://medium.com/@hartwigchris/from-idea-to-product-in-7-days-f44ff8c525eb#.5kggxksnz
======
bigiain
" … and here you go: your certificates are now stored in mongodb (for sharing
of certs among instances)."

I _assume_ it's not just me who just went "Wait, you did WHAT??? With your SSL
certs???" here?

s/instances/anyone with a shodan account/

;-)

~~~
bigiain
Even more facepalm...

"But with Bitcoin came a great idea: we’re not going to ask for an
email/password registration! Instead, we’ll use the transaction hash as a
proof of payment… and that proof of payment is also an authentication for the
user. In a word, the transaction hash is the user’s login/password! and it’s
certainly way more secure than a password like ‘password’."

So your proof-of-payment, is confirmed by the public blockchain including a
particular hash. And your login authentication, which is apparently way more
secure than "password" \- is that hash, which is on the public blockchain?

 _BOGGLE!_

(A day's worth of bitcoin transactions is something less then 300,000 publicly
available transaction hashes - simplistically "password" has maybe 28 bits of
entropy - or about 1000 times _more_ than a bitcoin transaction hash from a
particular day...)

~~~
weddpros
I disagree. Use a dictionary to brute force passwords, and 'password' has
exactly 0 bit of entropy. '123456' come right after it.

In the end, one transaction hash among 300k offers more security than any word
you could find in the dictionary. And you should consider a year of hashes,
not a single day...

I'm not pretending to have invented a new ultra-secure way to authenticate,
just one that's secure enough (more than words, less than random passwords)
and totally anonymous. Would you prefer an email-hash combo? or a hash-
password?

Finally, I was expecting a more positive attitude

