Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1389: Add "iterations" property to password encoders #1632

Closed
spring-issuemaster opened this Issue Jan 26, 2010 · 2 comments

Comments

Projects
None yet
1 participant

Luke Taylor said:

Added to BaseDigestPasswordEncoder.

Jared Stehler said:

Forgive my naivety, but I read the wiki page as saying that the key strengthening principle is applicable at the client side, to increase the processing time required to generate a password hash, so that brute force attackers need to expend more CPU resources to generate each guess, thereby also increasing time-between-guesses. Unless passwordEncoders are used in the client side, all this change does is increase server load, especially during brute force attacks.

From http://en.wikipedia.org/wiki/Key_strengthening:

"If the attacker uses the same class of hardware as the user, each guess will take the same amount of time it took the user (for example, one second). Even if the attacker might have much greater computing resources than the user, the key strengthening will still slow him down. The user only has to compute the strengthening function once to use his known password, but the attacker must compute it for each guess in his attack."

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment