SEC-1389: Add "iterations" property to password encoders #1632

Closed
spring-issuemaster opened this Issue Jan 26, 2010 · 2 comments

1 participant

@spring-issuemaster

Luke Taylor said:

Added to BaseDigestPasswordEncoder.

@spring-issuemaster

Jared Stehler said:

Forgive my naivety, but I read the wiki page as saying that the key strengthening principle is applicable at the client side, to increase the processing time required to generate a password hash, so that brute force attackers need to expend more CPU resources to generate each guess, thereby also increasing time-between-guesses. Unless passwordEncoders are used in the client side, all this change does is increase server load, especially during brute force attacks.

From http://en.wikipedia.org/wiki/Key_strengthening:

"If the attacker uses the same class of hardware as the user, each guess will take the same amount of time it took the user (for example, one second). Even if the attacker might have much greater computing resources than the user, the key strengthening will still slow him down. The user only has to compute the strengthening function once to use his known password, but the attacker must compute it for each guess in his attack."

@spring-issuemaster spring-issuemaster added this to the 3.0.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment