I second that! Just keep in mind that bcrypt-ruby was *designed* to be a slow hash to prevent dictionary attacks and rainbow tables. However, it's unlikely it will use massive CPU unless an attack is in progress. After all, how many users could be authenticating at the same moment?
On Sun, Apr 13, 2008 at 10:02 PM, Antonio Salazar <[EMAIL PROTECTED]> wrote: > On Mar 26, 9:13 pm, "Adam Wiggins" <[EMAIL PROTECTED]> wrote: > > Let me know if you have other C extension gem installation requests. > Any chance we could get bcrypt-ruby? Excerpt from the bcrypt-ruby docs at: http://bcrypt-ruby.rubyforge.org/ This is much slower than the big database approach, but most hash algorithms are pretty quick — and therein lies the problem. Hash algorithms aren't usually designed to be slow, they're designed to turn gigabytes of data into secure fingerprints as quickly as possible. bcrypt(), though, is designed to be computationally expensive: TEN THOUSAND iterations: user system total real md5 0.070000 0.000000 0.070000 ( 0.070415) bcrypt 22.230000 0.080000 22.310000 ( 22.493822) If an attacker was using Ruby to check each password, they could check ~140,000 passwords a second with MD5 but only ~450 passwords a second with bcrypt(). In addition, bcrypt() allows you to increase the amount of work required to hash a password as computers get faster. Old passwords will still work fine, but new passwords can keep up with the times. bcrypt() is currently used as the default password storage hash in OpenBSD, widely regarded as the most secure operating system available. For a more technical explanation of the algorithm and its design criteria, please read Niels Provos and David Mazières' Usenix99 paper: www.usenix.org/events/usenix99/provos.html --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Heroku" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/heroku?hl=en -~----------~----~----~----~------~----~------~--~---
