Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Password shtuff

by ysth (Canon)
on Dec 30, 2010 at 19:55 UTC ( #879861=pmdevtopic: print w/ replies, xml ) Need Help??
ysth has raised the following topic:

Rough notes on a chatterbox discussion.

How about md5 crypts instead of password in the cookie? That would allow passwords > 8 chars (with a user table change).

md5 may be too CPU expensive; needs to be tested.

An md5 crypt certainly takes more time than a des crypt: one some machine the md5 crypt seems to take 5e-4 second, the des takes 1.3e-5 seconds.

(comments about $3$/NT-hash)

Instead of comparing hashed password in cookie to hash of clear password in database, store the hashed password in the database and the non-salt part of it in the cookie; authenticate cookies via string compare.

Later, unhashed password will be eliminated.

update user edit page to require the previous password in order to change the password

have a real "password reset e-mail" feature

--
A math joke: r = | |csc(θ)|+|sec(θ)|-||csc(θ)|-|sec(θ)|| |
Online Fortune Cookie Search

Comment on Password shtuff
Re: Password shtuff
by tye (Cardinal) on Dec 31, 2010 at 00:12 UTC

    Testing on one of our web servers showed current crypt takes about 8us while MD5 crypt takes about 1ms, which is over 100x as much CPU (and we'd need better enforcement on the cap on password length but with a limit much higher than 7; a 200-char password takes about 3ms). But my proposal was to not even include the full non-salt encrypted password in the cookie, just the last $n characters, say 20 16 of the 22. Then we aren't even calling crypt on every page hit (just when somebody changes their password). And somebody sniffing your cookie doesn't mean they can dictionary attack and find your password.

    Corion and I have each worked on new "password reset e-mail" implementations.

    - tye        

Log In?
Username:
Password:

What's my password?
Create A New User
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others wandering the Monastery: (4)
As of 2014-07-26 03:24 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (175 votes), past polls