ctubbsii commented on issue #2700: URL: https://github.com/apache/accumulo/issues/2700#issuecomment-1135675967
> This section doesn't deal strictly with passwords, but I wrote a [test](https://github.com/dlmarion/accumulo/blob/password_test/server/base/src/test/java/org/apache/accumulo/server/security/handler/PasswordHashTest.java) to compare the performance difference between the Commons-Codec Crypt approach that is being used currently vs `PBKDF2WithHmacSHA512` as suggested in NIST SP800-63B. It looks to be roughly 3x faster. Commons-codec Crypt produces a Linux-standard hash suitable for placing in /etc/shadow for a user password (see `man 5 crypt`). I don't want to do anything custom. If the faster approach can be incorporated upstream into commons-codec, I'd strongly prefer that route over any other alternative. Modern Linux defaults use `yescrypt`, `$y$` hashes, whereas we're using `sha512crypt`, `$6$`. I'd be fine with defaulting to a more efficient algorithm, if it is supported by commons-codec and is widely considered at least as secure as `sha512crypt`. Something else to keep in mind: faster hashing makes brute force attacks more efficient. The fact that `sha512crypt` is slower isn't necessarily a bad thing. It would be nice if it didn't use as much CPU, though. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
