V0 is now available! We'll release moreeee soooon .
i see aloot of developers only care about languages and frameworks, discussing apis and design
Mangle: Google's Bold Take on Database Programming Google introduced [Mangle](https://github.com
zod but 100x faster? π We all know Zod for runtime validation. But there's
let's imagine you are a pentester (assuming you are a good person). you got somehow access to the database and now you can see all users stored...
when you query the users table you see:
id | username | password
---|----------|----------
1 | john | $2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi
2 | jane | $2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi
...now simple passwords like password or 123456 or qwerty are shown as gibberish. and now the passwords look useless. but is it really?
this is exactly why all serious companies protect their passwords.
so let's see how this works.
imagine you have some ingredients like a password and you blend + cook those ingredients together. can you get the ingredients back if you only have the final dish? β
thatβs what a hashing function does. it takes the password and produces a fixed-length string of characters, called a hash. the hash is unique to the password and cannot be reversed to retrieve the original password.
same input => same output
password => $2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igiso now when users create accounts, the passwords are not stored directly. they are hashed first, then stored. think of it as secure fingerprint storage.
flowchart TD
A[user enters password (signup)] --> B[Server hashes password]
B --> C[Store hash in database]
D[user enters password (login)] --> E[Server hashes input]
E --> F{Compare with stored hash}
F -->|Match| G[Login Success β
]
F -->|No Match| H[Login Failed β]but a problem: if users choose weak passwords, attackers can still guess. using precomputed tables called Rainbow Tables π. thatβs what happened to LinkedIn when they used unsalted SHA-1. plain hashing is not enough.
a salt is just a random string of characters added to the password before hashing. this makes rainbow tables useless.
example:
password123 + salt123 => $2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igieven if two users pick the same password, their stored hashes will be different. rainbow tables are now ineffective. attackers will try brute force with password lists like rockyou.txt instead.
this is why big companies use algorithms like bcrypt, scrypt, or argon2. they are designed to be slow and resource-intensive.
OWASP recommends using adaptive hashing like bcrypt, scrypt, or argon2 to slow attackers down.
a pepper is a secret value stored outside the database, maybe in a hardware security module (HSM) or secure enclave.
hash = Hashing(password + salt + pepper)Google and Amazon mention using these techniques. even if DB is stolen, without the pepper itβs harder to crack.
π the answer is OWASP rules:
all of this effort is because we still rely on passwords. but big tech is moving away β biometrics, passkeys, and passwordless auth πβ¨.
π in the next sooner iβll break down passkeys and how they may end the password era.