Serious biased question:

What's the newschool way of storing passwords now that everyone is against the known hashes?

Would prefer storing it in a good 'ol database tho pls.

  • 9
    Something like bcrypt.

    It uses a very slow hashing solution and built in unique salt so that any brute force takes extreme time.

    The main reason to avoid the common hash functions is that they are built for speed which helps the attacker.

    For passwords its no problem if checking the password takes 1/10 of a second instead of 1/100 000 of a second. But the difference for the attacker is 10 000 times more time to crack.
  • 1
    @Voxera I see that and thank you for that answer.

    But - without trying to go above myself - wont this affect overall performance for game-servers when every login fires up the server?
  • 6
    @Voxera just realizing.. thats why we have login and game servers seperated i guess.^^'
  • 4
    Who cares about speed here, security > a few MS.

    Anyway, thats what load testing is for with a tool like flood.io, nuke the shit out of your server and see how jt handles the load, see if your scale out rules are working, etc.

    Bcrypt implementations generally have a tuneable hash level. The idea being that theres generally an accepted level, once someone manages to have a fast enough method of finding collisions, then that level gets increased.
  • 0
    @D--M thanks for the tip. Didn't know about flood.io (:
  • 2

    it's an official standard and is used for slowing down the process of brute forcing passwords hashed by fast hashfunctions.
  • 0
    @Voxera what about rehashing something many times, was that a bad idea on my part? I've used it on a small project (not public)
  • 1
    @calmyourtities thats what bcrypt does.

    You set it to a number like 10 and it rehashes 2 to the power of your number times, in this case 1024 times.

    And since its serial hashes you cannot parallelize it.

    There are some other varieties but I guess they all work in similar ways.

    The benefit of using some standard is that much testing had been done.

    If you roll your own you just might hit a combination that repeat it self every 20 hashes or so, in practice capping the security.
  • 2
    “Don’t deal with passwords yourself” would be the professional answer. You have a few companies that do this as their core competency. They do a way better job than you ever can. You then use OAuth2 to federate to your application
  • 0
    @Voxera yay go me! I did something smart! and I've always wondered about that, but I don't think any inputs to a standard hashing function will return the same output, I've previously researched this and haven't found any
  • 1
    @calmyourtities It is not supposed to no.

    But that has been said about a lot of things regarding encryptions, then some one finds a weak spot that cuts cracking time by several magnitudes.

    For some if the common encryptions it has been proven that some of the values you get ti choose from creates weaker keys.
  • 0
    Btw, went for bcrypt now. Neat stuff actually, thx for the tip.😊
Add Comment