[OWASP-ESAPI] About owasp-esapi-java

Arshan Dabirsiaghi arshan.dabirsiaghi at aspectsecurity.com
Thu May 21 16:23:36 EDT 2009

Of course it is. 
I'm saying most people, if they knew that this was going on, would choose not to use it because of the limited benefits it provides. It's possible that I'm wrong - I have no data to support that opinion. I just know lots of developers who generally like things to be really fast.


From: Jim Manico [mailto:jim.manico at owasp.org]
Sent: Thu 5/21/2009 4:09 PM
To: Arshan Dabirsiaghi; jeffl.williams at owasp.org; Bedirhan Urgun; owasp-esapi at lists.owasp.org
Subject: Re: [OWASP-ESAPI] About owasp-esapi-java

The slowness is by design, intending to make it slower for someone with database access to brute-force the hash back to the password.
- Jim

	----- Original Message ----- 
	From: Arshan Dabirsiaghi <mailto:arshan.dabirsiaghi at aspectsecurity.com>  
	To: jeffl.williams at owasp.org ; Bedirhan Urgun <mailto:urgunb at hotmail.com>  ; owasp-esapi at lists.owasp.org 
	Sent: Thursday, May 21, 2009 10:05 AM
	Subject: Re: [OWASP-ESAPI] About owasp-esapi-java

	The HashIterations value is a form of key strengthening [1]. Am I alone in thinking this value should be 1 (essentially off) by default? I'm not suggesting hashing is expensive as search, but I think people would not like the performance results of this feature. After all, it's intended to be slow. 
	[1] http://en.wikipedia.org/wiki/Key_strengthening


	4. There's a HashIterations property key in ESAPI.properties. But this isn't used in org.owasp.esapi.reference.JavaEncyptor's hash method. Instead there's a hardcoded 1024.

	Good catch. This has been fixed so the hash iterations are configurable now.  Thanks!






	OWASP-ESAPI mailing list
	OWASP-ESAPI at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090521/40e3de6d/attachment-0001.html 

More information about the OWASP-ESAPI mailing list