This is going to make me sound like even more of an asshole, but I'm going to say it anyways because it is true: if you have to explain to yourself what a "salt" is, or you can't spell "nonce", you shouldn't be designing security systems. That doesn't mean your app needs to be insecure; it just means you should be using someone else's authentication system to do it.
"if you have to explain to yourself what a "salt" is, or you can't spell "nonce", you shouldn't be designing security systems."
No, I don't have to explain to myself what a salt is, though my "Here's how I understand it" introduction probably mislead you into thinking that. The only reason I said "Here's how I understand it" is that initially I wanted to explain both what a salt is (a notion I certainly understand because I read about it and implemented it) and what a nonce is (a notion I probably don't understand because I didn't really read about it and didn't implement it).
I know I still have much to learn but at least I know what I don't know with respect to nonces, and I find it pretty lame that you're saying I shouldn't "design security systems" just because I can't spell a word properly for a technique I just admitted I "never used and can only make guesses [about]"
I've been working like crazy for the last 2 years to learn everything about Common Lisp and making websites and you're saying I should give up everything just because I still have things to learn?!
You can't judge someone's skills just by looking at a data point like that. The concepts of closures and macros are now completely automatic and obvious to me but I wouldn't call someone who never heard of it or has just a basic understanding of it "someone who should never program". Of course I'd point it out if they said they had a firm grasp of it while it was obvious that they didn't.
I'm not sure why I'm meant to care how hard you worked over the last 2 years to learn Common Lisp.
A huge fraction of the security breaks over the past 15 years --- which cost us billions and billions of dollars --- are traceable to the mindset that says that figuring out security is just like figuring out how to scale a database: "you try and try and try until you get it right". Well, no.
I don't have an authentication system to sell you, but someone else does, and you should use it before you try to build one yourself.
This is hacker news. I think that we are all here to learn. We all have different levels of expertise as well as areas of interest. I'm personally not working a full time coding job yet because I'm still in school and I still have quite a bit that I want to learn just hacking around on my own smaller projects.
The fact that the concept of a salt isn't totally automatic to him or that he misspelled nonce only means that he shouldn't be designing security systems right now. There is a lot that we can all learn, some of us just have farther to go than others.
