Page 1 of 1
google url storm
Posted: Thu Jun 30, 2011 6:18 pm
by Timbalu
Re: google url storm
Posted: Thu Jun 30, 2011 9:14 pm
by onli
At the moment, s9y is using phps sha1(), with the output of time() as salt.
Note that using something slower than that, like bcrypt, adds only security in the sense that if the database is stolen, the hash might be attacked and thus the password obtained.
Pro change:
* There are reports about fundamental issues in sha1.
* There are alternatives more expensive to crack.
Contra change:
* Which hash-algorithm should be the alternative? To guarantee the use of bcrypt, probably the best choice, php 5.3.2 is needed.
* We had quite some issues with upgrades when introducing sha1 instead of md5.
We probably should introduce iterations though, or try to use bcrypt when abailable..
Re: google url storm
Posted: Fri Jul 01, 2011 9:16 am
by Timbalu
onli wrote:We probably should introduce iterations though, or try to use bcrypt when abailable.
Yes, phpass has a fallback and PHP is heading to 5.4.
The article is about slowing down brute_force with a strong hash and many iterations to make it very expensive (by time and, last but not least, money), even in times having clouds, cuda, etc.
This is nothing to think about for 1.6, but in some of the next versions.
Re: google url storm
Posted: Fri Jul 01, 2011 12:22 pm
by onli
Yes, phpass has a fallback and PHP is heading to 5.4.
The last fallback of phpass seems to be md5, which is undesirable.
Re: google url storm
Posted: Fri Jul 01, 2011 1:35 pm
by garvinhicking
Hi!
One problem is also that if bcrypt is so expensive, currently s9y does a password check on every page request that is done. If it really takes 0.3 seconds or so to calcuate a single password, that would MASSIVELY impact the s9y pagespeed for someone being logged in....
Regards,
Garvin
Re: google url storm
Posted: Fri Jul 01, 2011 3:39 pm
by onli
Uff. Why do we do that? Makes sense if we can't trust the session, but isn't the password stored in the session for the check?
)