On Saturday 05 January 2013, Igor Galić wrote: > > No, mod_authn_socache only caches the lookup of the password > > hash. It avoids having to open the password file/dbm/whatever > > but it still calls apr_password_validate() every time. Maybe it > > should be extended to also cache the real password and the > > result of > > apr_password_validate()? > > > > > > Stupid question time: > Why can't we store the password hash in the socache instead of > the plain-text password?
Because validating the password from the hash is slow. It has to be slow, in order to make it impossible to brute-force the password from the hash using today's graphics chips. A single cpu core of a core i7 @ 2.8Ghz can do this many password validations per second: crypt: 4157 (I have been told that this could be improved by reusing the struct crypt_data) md5crypt: 3552 (the current default algorithm) bcrypt5: 503 (cost setting 5, current default in htpasswd for bcrypt) bcrypt8: 66 (cost setting 8, a common value for use of bcrypt in /etc/passwd) If the validation has to be done once per request, it severely limits the web server's performance. Of course with form based auth, this is much less of a problem than with basic auth, because the password has only to be validated during login. But I would still like to have a viable and secure solution for basic auth.