[OWASP-ESAPI] About owasp-esapi-java

Jim Manico jim.manico at owasp.org
Thu May 21 16:09:06 EDT 2009


The slowness is by design, intending to make it slower for someone with database access to brute-force the hash back to the password.

- Jim

  ----- Original Message ----- 
  From: Arshan Dabirsiaghi 
  To: jeffl.williams at owasp.org ; Bedirhan Urgun ; owasp-esapi at lists.owasp.org 
  Sent: Thursday, May 21, 2009 10:05 AM
  Subject: Re: [OWASP-ESAPI] About owasp-esapi-java

  The HashIterations value is a form of key strengthening [1]. Am I alone in thinking this value should be 1 (essentially off) by default? I'm not suggesting hashing is expensive as search, but I think people would not like the performance results of this feature. After all, it's intended to be slow. 


  [1] http://en.wikipedia.org/wiki/Key_strengthening


  4. There's a HashIterations property key in ESAPI.properties. But this isn't used in org.owasp.esapi.reference.JavaEncyptor's hash method. Instead there's a hardcoded 1024.

  Good catch. This has been fixed so the hash iterations are configurable now.  Thanks!



  OWASP-ESAPI mailing list
  OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090521/19e9f1ae/attachment.html 

More information about the OWASP-ESAPI mailing list