On Saturday 05 January 2013, Igor Galić wrote:
> > No, mod_authn_socache only caches the lookup of the password
> > hash. It avoids having to open the password file/dbm/whatever
> > but it still calls apr_password_validate() every time. Maybe it
> > should be extended to also cache the real password and the
> > result of
> > apr_password_validate()?
> >
> >
>
> Stupid question time:
> Why can't we store the password hash in the socache instead of
> the plain-text password?
Because validating the password from the hash is slow. It has to be
slow, in order to make it impossible to brute-force the password from
the hash using today's graphics chips.
A single cpu core of a core i7 @ 2.8Ghz can do this many password
validations per second:
crypt: 4157 (I have been told that this could be improved by
reusing the struct crypt_data)
md5crypt: 3552 (the current default algorithm)
bcrypt5: 503 (cost setting 5, current default in htpasswd for
bcrypt)
bcrypt8: 66 (cost setting 8, a common value for use
of bcrypt in /etc/passwd)
If the validation has to be done once per request, it severely limits
the web server's performance.
Of course with form based auth, this is much less of a problem than
with basic auth, because the password has only to be validated during
login. But I would still like to have a viable and secure solution for
basic auth.
