[ 
https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

C. Scott Andreas updated CASSANDRA-11022:
-----------------------------------------
    Component/s: Auth

> Use SHA hashing to store password in the credentials cache
> ----------------------------------------------------------
>
>                 Key: CASSANDRA-11022
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11022
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Auth
>            Reporter: Mike Adamson
>            Priority: Major
>             Fix For: 4.x
>
>
> In CASSANDRA-7715 a credentials cache has been added to the 
> {{PasswordAuthenticator}} to improve performance when multiple 
> authentications occur for the same user. 
> Unfortunately, the bcrypt hash is being cached which is one of the major 
> performance overheads in password authentication. 
> I propose that the cache is changed to use a SHA-<xxx> hash to store the user 
> password. As long as the cache is cleared for the user on an unsuccessful 
> authentication this won't significantly increase the ability of an attacker 
> to use a brute force attack because every other attempt will use bcrypt.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to