[jira] [Updated] (CASSANDRA-11022) Use SHA hashing to store password in the credentials cache
[
https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
C. Scott Andreas updated CASSANDRA-11022:
-
Component/s: Auth
> Use SHA hashing to store password in the credentials cache
> --
>
> Key: CASSANDRA-11022
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11022
> Project: Cassandra
> Issue Type: New Feature
> Components: Auth
>Reporter: Mike Adamson
>Priority: Major
> Fix For: 4.x
>
>
> In CASSANDRA-7715 a credentials cache has been added to the
> {{PasswordAuthenticator}} to improve performance when multiple
> authentications occur for the same user.
> Unfortunately, the bcrypt hash is being cached which is one of the major
> performance overheads in password authentication.
> I propose that the cache is changed to use a SHA- hash to store the user
> password. As long as the cache is cleared for the user on an unsuccessful
> authentication this won't significantly increase the ability of an attacker
> to use a brute force attack because every other attempt will use bcrypt.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-11022) Use SHA hashing to store password in the credentials cache
[
https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sam Tunnicliffe updated CASSANDRA-11022:
Fix Version/s: (was: 3.4)
3.x
> Use SHA hashing to store password in the credentials cache
> --
>
> Key: CASSANDRA-11022
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11022
> Project: Cassandra
> Issue Type: New Feature
>Reporter: Mike Adamson
> Fix For: 3.x
>
>
> In CASSANDRA-7715 a credentials cache has been added to the
> {{PasswordAuthenticator}} to improve performance when multiple
> authentications occur for the same user.
> Unfortunately, the bcrypt hash is being cached which is one of the major
> performance overheads in password authentication.
> I propose that the cache is changed to use a SHA- hash to store the user
> password. As long as the cache is cleared for the user on an unsuccessful
> authentication this won't significantly increase the ability of an attacker
> to use a brute force attack because every other attempt will use bcrypt.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (CASSANDRA-11022) Use SHA hashing to store password in the credentials cache
[
https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mike Adamson updated CASSANDRA-11022:
-
Fix Version/s: 3.4
> Use SHA hashing to store password in the credentials cache
> --
>
> Key: CASSANDRA-11022
> URL: https://issues.apache.org/jira/browse/CASSANDRA-11022
> Project: Cassandra
> Issue Type: New Feature
>Reporter: Mike Adamson
> Fix For: 3.4
>
>
> In CASSANDRA-7715 a credentials cache has been added to the
> {{PasswordAuthenticator}} to improve performance when multiple
> authentications occur for the same user.
> Unfortunately, the bcrypt hash is being cached which is one of the major
> performance overheads in password authentication.
> I propose that the cache is changed to use a SHA- hash to store the user
> password. As long as the cache is cleared for the user on an unsuccessful
> authentication this won't significantly increase the ability of an attacker
> to use a brute force attack because every other attempt will use bcrypt.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
