Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Something like bcrypt.
It uses a very slow hashing solution and built in unique salt so that any brute force takes extreme time.
The main reason to avoid the common hash functions is that they are built for speed which helps the attacker.
For passwords its no problem if checking the password takes 1/10 of a second instead of 1/100 000 of a second. But the difference for the attacker is 10 000 times more time to crack.
Who cares about speed here, security > a few MS.
Anyway, thats what load testing is for with a tool like flood.io, nuke the shit out of your server and see how jt handles the load, see if your scale out rules are working, etc.
Bcrypt implementations generally have a tuneable hash level. The idea being that theres generally an accepted level, once someone manages to have a fast enough method of finding collisions, then that level gets increased.
it's an official standard and is used for slowing down the process of brute forcing passwords hashed by fast hashfunctions.
@calmyourtities thats what bcrypt does.
You set it to a number like 10 and it rehashes 2 to the power of your number times, in this case 1024 times.
And since its serial hashes you cannot parallelize it.
There are some other varieties but I guess they all work in similar ways.
The benefit of using some standard is that much testing had been done.
If you roll your own you just might hit a combination that repeat it self every 20 hashes or so, in practice capping the security.
“Don’t deal with passwords yourself” would be the professional answer. You have a few companies that do this as their core competency. They do a way better job than you ever can. You then use OAuth2 to federate to your application
@calmyourtities It is not supposed to no.
But that has been said about a lot of things regarding encryptions, then some one finds a weak spot that cuts cracking time by several magnitudes.
For some if the common encryptions it has been proven that some of the values you get ti choose from creates weaker keys.
Btw, went for bcrypt now. Neat stuff actually, thx for the tip.😊