cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CASSANDRA-11022) Use SHA hashing to store password in the credentials cache
Date Mon, 29 Feb 2016 14:29:18 GMT

     [ https://issues.apache.org/jira/browse/CASSANDRA-11022?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sam Tunnicliffe updated CASSANDRA-11022:
----------------------------------------
    Fix Version/s:     (was: 3.4)
                   3.x

> Use SHA hashing to store password in the credentials cache
> ----------------------------------------------------------
>
>                 Key: CASSANDRA-11022
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-11022
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Mike Adamson
>             Fix For: 3.x
>
>
> In CASSANDRA-7715 a credentials cache has been added to the {{PasswordAuthenticator}}
to improve performance when multiple authentications occur for the same user. 
> Unfortunately, the bcrypt hash is being cached which is one of the major performance
overheads in password authentication. 
> I propose that the cache is changed to use a SHA-<xxx> hash to store the user password.
As long as the cache is cleared for the user on an unsuccessful authentication this won't
significantly increase the ability of an attacker to use a brute force attack because every
other attempt will use bcrypt.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message