[Owasp-leaders] Stepping through password hashing options

Jim Manico jim.manico at owasp.org
Mon Jun 11 08:09:39 UTC 2012


Excellent technique, great conversation.

Please note, Bcrypt is •very• slow and has DOS concerns that need to
be considered. Check out the CPU usage and execution time of only 100
rounds of BCrypt!
http://www.analyticalengine.net/2012/06/should-we-really-use-bcryptscrypt/

But again, what an interesting conversation.

One last thing: passwords are dead, IMO. Multi-factor is a critical
control as we move forward. Password storage and strength concerns
fade significantly in the face of MFA. :)

Aloha from London,

--
Jim Manico
VP, Security Architecture
WhiteHat Security
(808) 652-3805

On Jun 10, 2012, at 6:10 PM, Michael Coates <michael.coates at owasp.org> wrote:

> A nice post from one of the web dev managers here at Mozilla.  I'm interested to hear people's thoughts on the final option or any stories on other approaches.
>
> The key item is blending the benefits of hashing / time requirements with a practical approach to minimize the impact of most common theft vector (sql injection)
>
> http://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
>
>
>
>
> -------
> Michael Coates | OWASP
> michael.coates at owasp.org | @_mwc
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list