It will be great to use bcrypt for password hashing in Ignite.
Could you suggest the right way to use bcrypt:
1. add 'jbcrypt' maven dependency;
2. include the single 'BCrypt.java' file to our project .
Does the license allow to include 'BCrypt.java' ?
On 18.01.2018 13:50, Taras Ledkov wrote:
Password hashing algorithms of the popular vendors:
mysql: SHA-265, old-native-hash
postgres: MD5, DES, Extended DES, Blowfish-based
Some about "comparison" SHA-2 vs bcrypt :
> SHA-512 is a cryptographic hash while bcrypt is a password hash or
PBKDF (password based key derivation function).
> SHA-512 has been designed to be fast. You don't want any delays when
validating a signature, for instance.
> There is no reason for generic cryptographic hashes to be slow.
> bcrypt on the other hand is a password hash that performs key
strengthening on the input.
> Basically it does this by slowing down the calculation so that
attackers will have to spend
> more resources to find the input by brute forcing or dictionary
> The idea is that although the legit users - you in this case - will
also be slowed down,
> they are only slowed down once per password. However the attackers
are slowed down for each try.
> The legit user is of course much more likely to input the right
> Furthermore bcrypt also contains a salt as input, which can be used
to avert rainbow table attacks.
Conclusion: bcrypt can provide more security but the popular vendors
use SHA and even MD5 by default.
On 18.01.2018 9:29, Vladimir Ozerov wrote:
I think we need a comparison of available options and (possibly) analysis
what other vendors use.
On Tue, Jan 16, 2018 at 3:56 PM, Taras Ledkov<tled...@gridgain.com> wrote:
What do you think about usage bcrypt ,  to store encrypted password?
On 15.01.2018 11:19, Vladimir Ozerov wrote:
2) Credentials will be stored in a form of [username + hash]