Re: Username/password authentication for thin clients

Mon, 12 Feb 2018 07:58:09 -0800 

Colleagues, Denis,

It will be great to use bcrypt for password hashing in Ignite.
Could you suggest the right way to use bcrypt:
1. add 'jbcrypt' maven dependency;
2. include the single 'BCrypt.java' file to our project [1].

Does the license allow to include 'BCrypt.java' ?
[1]. https://github.com/jeremyh/jBCrypt/blob/master/src/main/java/org/mindrot/BCrypt.java 


On 18.01.2018 13:50, Taras Ledkov wrote:


Password hashing algorithms of the popular vendors:

mysql: SHA-265, old-native-hash
postgres: MD5, DES, Extended DES, Blowfish-based
oracle: SHA-1

Some about "comparison" SHA-2 vs bcrypt [1]:
> SHA-512 is a cryptographic hash while bcrypt is a password hash or PBKDF (password based key derivation function).
> SHA-512 has been designed to be fast. You don't want any delays when validating a signature, for instance. 
> There is no reason for generic cryptographic hashes to be slow.
> bcrypt on the other hand is a password hash that performs key strengthening on the input. > Basically it does this by slowing down the calculation so that attackers will have to spend > more resources to find the input by brute forcing or dictionary attacks. > The idea is that although the legit users - you in this case - will also be slowed down, > they are only slowed down once per password. However the attackers are slowed down for each try. > The legit user is of course much more likely to input the right password first.
> Furthermore bcrypt also contains a salt as input, which can be used to avert rainbow table attacks.
Conclusion: bcrypt can provide more security but the popular vendors use SHA and even MD5 by default.
[1]. https://crypto.stackexchange.com/questions/46550/benchmark-differences-between-sha-512-and-bcrypt 

On 18.01.2018 9:29, Vladimir Ozerov wrote:

Taras,

I think we need a comparison of available options and (possibly) analysis
what other vendors use.

On Tue, Jan 16, 2018 at 3:56 PM, Taras Ledkov<tled...@gridgain.com>  wrote:


What do you think about usage bcrypt [1], [2] to store encrypted password?

[1]https://stackoverflow.com/questions/1561174/sha512-vs-blowfi
sh-and-bcrypt
[2]https://en.wikipedia.org/wiki/Bcrypt



On 15.01.2018 11:19, Vladimir Ozerov wrote:


2) Credentials will be stored in a form of [username + hash] [1]


--
Taras Ledkov
Mail-To:tled...@gridgain.com




--
Taras Ledkov
Mail-To:tled...@gridgain.com


--
Taras Ledkov
Mail-To: tled...@gridgain.com

Reply via email to