Can bcrypt’s computational expense be reduced on the server side?

(Caution: Amateur security research ahead.  Using it in a live system is not recommendable.) I recently read “How to Safely Store a Password”, an article by Coda Hale. For years I’ve thought that salting and hashing passwords with MD5 or SHA-1 prior to storage was sufficient to thwart password-cracking efforts (in cases where the user-account database table is stolen or publicly divulged). Apparently, this approach is not much better than simply storing plaintext passwords (a practice widely scoffed at). It was fascinating to find out about a better approach, that of using bcrypt instead of ordinary hash functions. Unfortunately, it seems to me that bcrypt creates a new problem even as it solves an old one… The New Problem The use of bcrypt turns...

Facebook, the Island of the Lotus-Eaters

Last night I watched Percy Jackson & the Olympians: The Lightning Thief on TV.  (Beware, spoilers ahead.) This moderately-entertaining movie cleverly incorporates a number of elements from Greek mythology.  One of them is the island of the lotus-eaters, reimagined as a casino. Percy Jackson and his two sidekicks need to visit this casino to look for a special, hidden jewel.  At the casino, they are persistently offered and keep consuming some unusual, mind-altering appetizers.  The addictive hors d’oeuvres make them forget why they were there and what their mission was.  After a long time they manage break out of their stupor, retrieve the jewel, and resume their quest. Sometime after watching this scene, I was struck by the realization that Facebook is...