Another service using pathetic password hashing:

https://github.com/hmngwy/weblog.sh/blob/master/lib/ssh/exec...

      else if(command[0] === 'password') {

        if(args.length===0) {
          stream.write('→ You need to specify a password.\n\r');
          stream.end();
          return;
        }

        var hash = require('sha256');
        var payload = args;
        var salt = schemas.randomString(32);

        userMeta.user.hash = hash(payload + salt);
        userMeta.user.salt = salt;
        userMeta.user.token = schemas.randomString(64);

        stream.write('… Saving new password'+LB);
        userMeta.user.save(function(err, saved){
          if(err){
            stream.write('→ Password update failed.'+LB);
          }

          var response = [];
          response.push("→ password for "+saved.username+" updated"+LB);

          stream.write(response.join(LB));
          stream.exit(0);
          stream.end();

        });

      }

"pathetic" is a bit harsh. Yes, one should be using b/scrypt nowadays but at least he's using salt and sha256 it's not md5. It could be better, but it could also be much worse.

sha256 is not "better" than MD5 for password hashing; they're both incredibly fast to brute force and both not meant for password hashing. bcrypt/scrypt, configured correctly, are much slower and much more secure.

salt adds a minor hurdle and that's it.

PHP has an easy-to-use password hashing function with secure defaults right there in the standard library:

http://php.net/password_hash

This is one idea of PHP's that other languages should copy.

Hashes are generally used to check data integrity ...

When hashing passwords you want a function that is slow and have MANY (but not too many) collisions so that it can not be brute-forced in any direction.

>have MANY (but not too many) collisions so that it can not be brute-forced in any direction

I don't understand this part? Basically if I'm able to find a collision it's like I found the real password, so why is a function with many collisions better for password hashing? Is there a way to differentiate the collisions?

EDIT: typo

You don't want collisions, as the entire point of a hashing algorithm is to _not_ have collisions. I'm not sure what the OP is talking about.

What you really want for password hashing is a key derivation function, which will generate a random, unique hash slowly.

Lets say someone gains access to the password hashes, he/she can compute hashes until a match is found. And then login to that particular system, but does not know the secret (if there are many collisions, and the pw is random). I'm no expert though, and I assume that if someone gains access to all the password hashes, he/she already has access to the system.

Can you explain why this is no good? Just sha256?

SHA256 is a hashing algorithm, which is supposed to be able to create a checksum fast. However, you don't want your passwords to be cracked at a fast speed, so you use a KDF like bcrypt or scrypt, which is much slower and harder to implement on GPUs.

OSX user; registered as myself.

First impressions are not good.

• scp very slow; doesn't work

• vim scp:// doesn't work

• emacs tramp[1] definitely doesn't work (scpx says invalid command; ssh, scp and sftp methods say "EDITOR SOON")

I noticed you're using ssh2js[2], but not using its built-in features for getting the public key from the client.

I think this would make a much better experience than asking for a password (that you don't echo, don't confirm, and annoyingly don't reset the terminal state afterwards).

I also think you should look at getting the sftp subsystem working as it is simpler and much more reliable than scp.

I hope you fix these things because I'd like to try it again.

[1]: http://www.emacswiki.org/emacs/TrampMode

[2]: https://github.com/mscdex/ssh2

You might want to raise issues for these: https://github.com/hmngwy/weblog.sh

I don't know why they don't like to that from the front page.

vim scp:// works for me (ubuntu here). Tramp I had an issue with, too, not sure what the deal with that is. My emacs is acting up a bit today.

I think scp being slow probably has more to do with his/her hosting than implementation. My post went through just fine so I'm tempted to blame your local setup somehow.

I agree completely about resetting the terminal state; I think that may be getting addressed here --- https://github.com/hmngwy/weblog.sh/issues/19.

>At the time of writing we are spending around $15 a month to keep the service up. If 75 people donated 5 cents a week, we'd be sustainable. - 27/10/15

And yet I'm pessimistic it'll get that funding. I just don't know if it's possible to make money writing software like this.

It would probably make more sense, and be more likely to get 15 people to donate $10 a year (as a one-time donation, with a new 15 people donating $10 the next).

I'm also rather pessimistic about "making money" like this.

You'd have to sell a service for that to make any kind of sense. Target a minimum of, say, 10$ user/year, or user/month (yes, those are two wildly different prices, and two somewhat different level of "perceived value" you'd need to provide).

Micropayments only make sense at massive scale - and you won't have that starting out. If you cant build up to 10.000 users paying 10/year, you could probably sustain a developer. Just make sure that doesn't generate work for 30 support staff. But "breaking even" (we won't have to stop because we're burning money on hosting) is different from "making money".

It's probably a good idea to one, or the other. Not something in the middle.

Major caveat: I've only thought about pricing models, never found the opportunity to try them out in practice.

Watch what happens over the next few months to PushBullet - they've learnt the hard way that pricing is serious business. They had a base of users who were used to a free product, then they tried to bring in a $40/year plan with no middle ground.

https://blog.pushbullet.com/2015/11/17/introducing-pushbulle...

https://www.reddit.com/r/PushBullet/comments/3t5ogz/introduc...

He is not trying to make money. He just tries to cover his costs. That's way more realistic and I think it might work out.

Tried it out. I keep `scp`ing a file, or editing it using `vim scp`, but on browsing or publishing, I get an "Article does not exist".

Me too. I love the idea though - I'll be back and donating if it improves.

Nice idea, I love it!

If you want a similar solution, but self-hosted, here's another commandline blogging system contained in a single bash script: https://github.com/cfenollosa/bashblog

This can be self hosted, not very nice to plug yourself like this.

It would be neat to have different layouts to choose from (maybe similar to jekyll with a "layout: xyz" parameter).

Besides that i really like the idea. Reminds me a little of the old-style BBS communities. Even though i understand that people need to make money, a project like this would gain much more from being open source. It would give more people the possibility to run a service like this and everyone would profit from further developments.

But that's up to you, and i'm absolutely fine with people making money from webservices! :)

This is open source, I have no idea what you're talking about: https://github.com/hmngwy/weblog.sh

Oh, my mistake. Even better!

Really like the concept. Hopefully you can work out the issues raised by others, can't wait to see where this goes. Consider your current costs covered.

Wow, impressed by the platform. Posted the first draft from mobile, and it's totally insane. One thing, the name sunsed is a bit messy to start with.

You just made my day! Thanks!! :) Yes, you are right the name SunSed is a tricky name to start with specially for the sake of SEO. I also hope one day autocorrect systems do not change SunSed to SunSet. By the way, it stands for: SUN Shines Every Day. At least it's 6 letters and almost easy to remember.

Why are you replying to comments about the link, not directed at you?

Sorry if it seems obvious, how do you post from mobile?

Top right of the screen. When you are editing a post of course.

https://storage.googleapis.com/sunsed.com/images/tutorials/p...

Thanks for trying SunSed my friend!

And there isn't a password reset option or password confirmation. Hope you typed it right!

Password is there just to let you upload certificate, hopefully you will not use it

I haven't tested it yet but this looks great! I was kind of looking for something like this.

I'll give it a try in a week or so. Hopefully the problems will be fixed.

IMO the only thing missing is the ability to tag your entries. Maybe the site could parse a markdown tag entry in the file. Something like:

# _tags_ #

programming

c++

network

I think it'd be responsible to recommend generating a new key pair specifically for this platform. Disregarding that, I think this is really cool.

This is similar to tilde, which is awesome idea. It should have some community aspect to be succesful.

Can you elaborate more about tilde? Is there a webpage?

http://tilde.club/, but they have a waitlist right now.

Signed up to try your site out. When I create my first blog, there's a typo, just so you know:

> Choose your new bolg's template

Thanks! :)

How to provide a key? Sorry I am noob please help.!

probably ssh-copy-id (I didn't test this though)

This is really awesome! I love it.

This is totally going to pollute the search of the term "web logs"

The term blog is derived from the concatenation of "web log".

yes, and "blog" is a distinct term from "web log".