[
https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15247980#comment-15247980
]
Aleksey Yeschenko commented on CASSANDRA-11022:
-----------------------------------------------
I would prefer to just make the number or rounds configurable (also, I'm pretty
sure it's already configurable with a -D flag - just cannot remember the ticket
number). If the price of doing the bcrypt rounds is higher for you than that of
fetching the hash from the table, and it is too high, the user should just
lower the default # of rounds - instead of this workaround.
> Use SHA hashing to store password in the credentials cache
> ----------------------------------------------------------
>
> Key: CASSANDRA-11022
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11022
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Mike Adamson
> Fix For: 3.x
>
>
> In CASSANDRA-7715 a credentials cache has been added to the
> {{PasswordAuthenticator}} to improve performance when multiple
> authentications occur for the same user.
> Unfortunately, the bcrypt hash is being cached which is one of the major
> performance overheads in password authentication.
> I propose that the cache is changed to use a SHA-<xxx> hash to store the user
> password. As long as the cache is cleared for the user on an unsuccessful
> authentication this won't significantly increase the ability of an attacker
> to use a brute force attack because every other attempt will use bcrypt.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
