[jira] [Updated] (CASSANDRA-11022) Use SHA hashing to store password in the credentials cache
[ https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] C. Scott Andreas updated CASSANDRA-11022: - Component/s: Auth > Use SHA hashing to store password in the credentials cache > -- > > Key: CASSANDRA-11022 > URL: https://issues.apache.org/jira/browse/CASSANDRA-11022 > Project: Cassandra > Issue Type: New Feature > Components: Auth >Reporter: Mike Adamson >Priority: Major > Fix For: 4.x > > > In CASSANDRA-7715 a credentials cache has been added to the > {{PasswordAuthenticator}} to improve performance when multiple > authentications occur for the same user. > Unfortunately, the bcrypt hash is being cached which is one of the major > performance overheads in password authentication. > I propose that the cache is changed to use a SHA- hash to store the user > password. As long as the cache is cleared for the user on an unsuccessful > authentication this won't significantly increase the ability of an attacker > to use a brute force attack because every other attempt will use bcrypt. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-11022) Use SHA hashing to store password in the credentials cache
[ https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sam Tunnicliffe updated CASSANDRA-11022: Fix Version/s: (was: 3.4) 3.x > Use SHA hashing to store password in the credentials cache > -- > > Key: CASSANDRA-11022 > URL: https://issues.apache.org/jira/browse/CASSANDRA-11022 > Project: Cassandra > Issue Type: New Feature >Reporter: Mike Adamson > Fix For: 3.x > > > In CASSANDRA-7715 a credentials cache has been added to the > {{PasswordAuthenticator}} to improve performance when multiple > authentications occur for the same user. > Unfortunately, the bcrypt hash is being cached which is one of the major > performance overheads in password authentication. > I propose that the cache is changed to use a SHA- hash to store the user > password. As long as the cache is cleared for the user on an unsuccessful > authentication this won't significantly increase the ability of an attacker > to use a brute force attack because every other attempt will use bcrypt. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (CASSANDRA-11022) Use SHA hashing to store password in the credentials cache
[ https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mike Adamson updated CASSANDRA-11022: - Fix Version/s: 3.4 > Use SHA hashing to store password in the credentials cache > -- > > Key: CASSANDRA-11022 > URL: https://issues.apache.org/jira/browse/CASSANDRA-11022 > Project: Cassandra > Issue Type: New Feature >Reporter: Mike Adamson > Fix For: 3.4 > > > In CASSANDRA-7715 a credentials cache has been added to the > {{PasswordAuthenticator}} to improve performance when multiple > authentications occur for the same user. > Unfortunately, the bcrypt hash is being cached which is one of the major > performance overheads in password authentication. > I propose that the cache is changed to use a SHA- hash to store the user > password. As long as the cache is cleared for the user on an unsuccessful > authentication this won't significantly increase the ability of an attacker > to use a brute force attack because every other attempt will use bcrypt. -- This message was sent by Atlassian JIRA (v6.3.4#6332)