[OWASP_PHPSEC] For the love of bcrypt

rahul chaudhary rahul300chaudhary400 at gmail.com
Wed Sep 18 05:12:33 UTC 2013


yes...thats what I am saying...when the password comes to server....we can
check the length of the passwords and if its greater than say 64, then we
wont hash it...if its less...then only we will hash it and try to see if
hashes match....and if the attacker does DOS by providing many 64 length
passwords...then it will be detected by brute force mechanism...


On Tue, Sep 17, 2013 at 5:22 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> If you do, yet. But it is not based on the password you STORE on your
> system, but the password that a user submits when they ar etrying to login
> :D
>
> ______________________________________________________________
> *Notice:** *This message is *digitally signed*, its *source* and *
> integrity* are verifiable.
> If you mail client does not support S/MIME verification, it will display a
> file (smime.p7s), which includes the X.509 certificate and the signature
> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
> AbiusX.com
>
> On Sep 17, 2013, at 3:38 PM, rahul chaudhary <
> rahul300chaudhary400 at gmail.com> wrote:
>
> But as suggested in the comments....if you will check for lengths of
> password in the server side also, then it can be thwarted. So, is this
> really a problem...if yes, how ??
>
>
> On Mon, Sep 16, 2013 at 7:04 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>
>>
>> http://arstechnica.com/security/2013/09/long-passwords-are-good-but-too-much-length-can-be-bad-for-security/
>> ______________________________________________________________
>> *Notice:** *This message is *digitally signed*, its *source* and *
>> integrity* are verifiable.
>> If you mail client does not support S/MIME verification, it will display
>> a file (smime.p7s), which includes the X.509 certificate and the signature
>> body.  Read more at Certified E-Mail with Comodo and Thunderbird<http://abiusx.com/certified-e-mail-with-comodo-and-thunderbird/> in
>> AbiusX.com <http://abiusx.com/>
>>
>>
>> _______________________________________________
>> OWASP_PHP_Security_Project mailing list
>> OWASP_PHP_Security_Project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp_php_security_project
>>
>>
>
>
> --
> Regards,
> Rahul Chaudhary
> Ph - 412-519-9634
>
>
>


-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130918/b8d3b6b3/attachment-0001.html>


More information about the OWASP_PHP_Security_Project mailing list