cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mike Adamson (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CASSANDRA-11022) Use SHA hashing to store password in the credentials cache
Date Fri, 15 Jan 2016 16:03:39 GMT
Mike Adamson created CASSANDRA-11022:
----------------------------------------

             Summary: Use SHA hashing to store password in the credentials cache
                 Key: CASSANDRA-11022
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11022
             Project: Cassandra
          Issue Type: New Feature
            Reporter: Mike Adamson


In CASSANDRA-7715 a credentials cache has been added to the {{PasswordAuthenticator}} to improve
performance when multiple authentications occur for the same user. 

Unfortunately, the bcrypt hash is being cached which is one of the major performance overheads
in password authentication. 

I propose that the cache is changed to use a SHA-<xxx> hash to store the user password.
As long as the cache is cleared for the user on an unsuccessful authentication this won't
significantly increase the ability of an attacker to use a brute force attack because every
other attempt will use bcrypt.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message