Luke Taylor (Migrated from SEC-1389) said:
Luke Taylor said:
Added to BaseDigestPasswordEncoder.
Jared Stehler said:
Forgive my naivety, but I read the wiki page as saying that the key strengthening principle is applicable at the client side, to increase the processing time required to generate a password hash, so that brute force attackers need to expend more CPU resources to generate each guess, thereby also increasing time-between-guesses. Unless passwordEncoders are used in the client side, all this change does is increase server load, especially during brute force attacks.
"If the attacker uses the same class of hardware as the user, each guess will take the same amount of time it took the user (for example, one second). Even if the attacker might have much greater computing resources than the user, the key strengthening will still slow him down. The user only has to compute the strengthening function once to use his known password, but the attacker must compute it for each guess in his attack."