[ https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sam Tunnicliffe updated CASSANDRA-11022: ---------------------------------------- Fix Version/s: (was: 3.4) 3.x > Use SHA hashing to store password in the credentials cache > ---------------------------------------------------------- > > Key: CASSANDRA-11022 > URL: https://issues.apache.org/jira/browse/CASSANDRA-11022 > Project: Cassandra > Issue Type: New Feature > Reporter: Mike Adamson > Fix For: 3.x > > > In CASSANDRA-7715 a credentials cache has been added to the > {{PasswordAuthenticator}} to improve performance when multiple > authentications occur for the same user. > Unfortunately, the bcrypt hash is being cached which is one of the major > performance overheads in password authentication. > I propose that the cache is changed to use a SHA-<xxx> hash to store the user > password. As long as the cache is cleared for the user on an unsuccessful > authentication this won't significantly increase the ability of an attacker > to use a brute force attack because every other attempt will use bcrypt. -- This message was sent by Atlassian JIRA (v6.3.4#6332)