Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re: Adjust bcrypt cost to prevent future password hash attacks

by muba (Priest)
on Jun 12, 2012 at 17:41 UTC ( #975854=note: print w/replies, xml ) Need Help??


in reply to Adjust bcrypt cost to prevent future password hash attacks

If I read you correctly, your idea is to re-hash passwords every now and then as computers get faster, am I right? Assuming that I am, here's my question.

Once the hash of a password gets stored, we really have no longer have an idea of what the actual password is. In an ideal world, even when the user tries to log in, a hash of his password is sent, and then the stored hash and the stored hash are compared to determine the successfulness of a login attempt.

Given this, how do you propose the password is re-hashed without having the original password to work from?

  • Comment on Re: Adjust bcrypt cost to prevent future password hash attacks

Replies are listed 'Best First'.
Re^2: Adjust bcrypt cost to prevent future password hash attacks
by andreas1234567 (Vicar) on Jun 12, 2012 at 18:21 UTC
    .. when the user tries to log in, a hash of his password is sent
    No. When the user tries to log in, the password is sent (encrypted in transit, then decrypted (in memory only) to clear text on the server).
    Given this, how do you propose the password is re-hashed without having the original password to work from?
    At next successful login. Add password expiry functionality (i.e. max 30 days), and we can ensure that all passwords are either
    • invalid, or
    • re-hashed with increased cost over the next 30 days.

    --
    No matter how great and destructive your problems may seem now, remember, you've probably only seen the tip of them. [1]

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://975854]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (3)
As of 2018-11-14 21:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My code is most likely broken because:
















    Results (177 votes). Check out past polls.

    Notices?