Security quotes of the week

Achieving any real security requires that password verification take on the order of hundreds of milliseconds or even whole seconds. Unfortunately this hasn't been the experience of the past 20 years. MD5 was launched over 20 years ago and is still the most common implementation I see in the wild, though it's gone from being relatively expensive to evaluate to extremely cheap. Moore's Law has indeed broken MD5 as a password hash and no serious application should still use it. Human memory isn't more of a problem today than it used to be though. The problem is that we've chosen to let password verification become too cheap.

Beyond that, there's the fact that Facebook "likes" and profile settings aren't necessarily accurate reflections of reality. A search for "Married people who like Prostitutes" seems more likely to turn up people who thought it would be funny to hit "like" on a page called "Prostitutes" than actual johns. And note that those "Islamic men interested in men who live in Tehran, Iran" all say they're interested in both males and females, which probably just means that they interpreted "interested in" in a non-sexual way and decided not to discriminate by gender. Still, I wouldn't envy the hypothetical position of a Chinese citizen trying to convince Communist Party agents that he hit "like" on the "Falun Gong" page ironically or by accident.