[Owasp-leaders] Stepping through password hashing options

Jim Manico jim.manico at owasp.org
Mon Jun 11 23:59:54 UTC 2012


Since bcrypts first use for most consumer sites is during registration
which is unauthenticated, rate limiting and IP address blocking is not
always effective.

When one function run 100 times concurrently can pin a CPU, you gotta
be really careful...

--
Jim Manico
(808) 652-3805

On Jun 11, 2012, at 11:45 PM, Michael Coates <michael.coates at owasp.org> wrote:

> True, application based denial of service needs to be addressed via rate limiting.
>
> Most of the time application based dos are within the authenticated portion of an application and rate limiting is easy since you know the user in question and can logout/block them.
>
> For unauthenticated items (such as login) you can still throttle via IP addresses.  This is something google performs when they see malicious activity from an IP range - they prompt the users with a captcha to verify that user is legit and allow that user (now with a session ID indicating they're human) to continue operating with the website.
>
>
>
>
> -------
> Michael Coates | OWASP
> michael.coates at owasp.org | @_mwc
>
>
>
> On Jun 11, 2012, at 1:09 AM, Jim Manico wrote:
>
>> Excellent technique, great conversation.
>>
>> Please note, Bcrypt is •very• slow and has DOS concerns that need to
>> be considered. Check out the CPU usage and execution time of only 100
>> rounds of BCrypt!
>> http://www.analyticalengine.net/2012/06/should-we-really-use-bcryptscrypt/
>>
>> But again, what an interesting conversation.
>>
>> One last thing: passwords are dead, IMO. Multi-factor is a critical
>> control as we move forward. Password storage and strength concerns
>> fade significantly in the face of MFA. :)
>>
>> Aloha from London,
>>
>> --
>> Jim Manico
>> VP, Security Architecture
>> WhiteHat Security
>> (808) 652-3805
>>
>> On Jun 10, 2012, at 6:10 PM, Michael Coates <michael.coates at owasp.org> wrote:
>>
>>> A nice post from one of the web dev managers here at Mozilla.  I'm interested to hear people's thoughts on the final option or any stories on other approaches.
>>>
>>> The key item is blending the benefits of hashing / time requirements with a practical approach to minimize the impact of most common theft vector (sql injection)
>>>
>>> http://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
>>>
>>>
>>>
>>>
>>> -------
>>> Michael Coates | OWASP
>>> michael.coates at owasp.org | @_mwc
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list