Hacker News new | comments | show | ask | jobs | submit login

Maybe because people frequently reference scrypt as a password hashing function, but when you download the source and look in the top level, what you get is an example of an encryption utility and no documentation other than a man page for said encryption utility?

You mean the code which is labeled on the website as "A simple password-based encryption utility is available as a demonstration of the scrypt key derivation function"?

Remember, not everyone who uses your library is a security expert, or will spend the time to read all of the code

I know people won't read all the code... but you'd think that people would at least read the comment directly above the function prototype

    * Encrypt inbuflen bytes from inbuf, writing the resulting inbuflen + 128
    * bytes to outbuf.
and realize that this doesn't even sound remotely like what they were looking for.

sigh

I've added a warning to the top of scryptenc.h which will hopefully help to point people in the right direction.




  You mean the code which is labeled on the website as "A 
  simple password-based encryption utility is available as 
  a demonstration of the scrypt key derivation function"?
Think of this from the perspective of someone who's looking for a password hashing function. Remember that a lot of people are fairly unclear on the idea of password hashing vs. encryption; lots of people say things like "the password database was encrypted" when they mean "the password database was hashed." For someone who is a bit fuzzy on the idea, but has been pointed to scrypt as the solution for secure password storage, they may just think "oh, it encrypts the passwords, OK" and go ahead and use the encryption functions.

The additional note is definitely helpful; I still think it would be good to put something at the top level which points people in the right direction.

As is, if someone wants to figure out what to do for password hashing, they have no documentation at the top level. The most promising thing to try, main.c, just uses the encryption functions. If they then jump to the definitions, your note is over 50 lines above the declaration of scryptenc_file, well outside of what will normally show up in their editor window. Yeah, they will probably have to scroll up a little to find the definitions of parameters and return values, but it's possible to do that and miss the note.

I know, people should read the whole documentation, but it's probably easier to just point them in the right direction from the start than to convince people to read the full documentation.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: