Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: Adjust bcrypt cost to prevent future password hash attacks

by muba (Priest)
on Jun 12, 2012 at 17:41 UTC ( [id://975854]=note: print w/replies, xml ) Need Help??


in reply to Adjust bcrypt cost to prevent future password hash attacks

If I read you correctly, your idea is to re-hash passwords every now and then as computers get faster, am I right? Assuming that I am, here's my question.

Once the hash of a password gets stored, we really have no longer have an idea of what the actual password is. In an ideal world, even when the user tries to log in, a hash of his password is sent, and then the stored hash and the stored hash are compared to determine the successfulness of a login attempt.

Given this, how do you propose the password is re-hashed without having the original password to work from?

  • Comment on Re: Adjust bcrypt cost to prevent future password hash attacks

Replies are listed 'Best First'.
Re^2: Adjust bcrypt cost to prevent future password hash attacks
by andreas1234567 (Vicar) on Jun 12, 2012 at 18:21 UTC
    .. when the user tries to log in, a hash of his password is sent
    No. When the user tries to log in, the password is sent (encrypted in transit, then decrypted (in memory only) to clear text on the server).
    Given this, how do you propose the password is re-hashed without having the original password to work from?
    At next successful login. Add password expiry functionality (i.e. max 30 days), and we can ensure that all passwords are either
    • invalid, or
    • re-hashed with increased cost over the next 30 days.

    --
    No matter how great and destructive your problems may seem now, remember, you've probably only seen the tip of them. [1]
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://975854]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (8)
As of 2024-04-19 12:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found