httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: Password caching (was: svn commit: r1427548)
Date Sat, 05 Jan 2013 11:05:24 GMT
On Saturday 05 January 2013, Igor Galić wrote:
> > No, mod_authn_socache only caches the lookup of the password
> > hash. It avoids having to open the password file/dbm/whatever
> > but it still calls apr_password_validate() every time. Maybe it
> > should be extended to also cache the real password and the
> > result of
> > apr_password_validate()?
> >
> > 
> 
> Stupid question time:
> Why can't we store the password hash in the socache instead of
> the plain-text password?

Because validating the password from the hash is slow. It has to be 
slow, in order to make it impossible to brute-force the password from 
the hash using today's graphics chips.

A single cpu core of a core i7 @ 2.8Ghz can do this many password 
validations per second:

     crypt:  4157 (I have been told that this could be improved by
                   reusing the struct crypt_data)
  md5crypt:  3552 (the current default algorithm)
   bcrypt5:   503 (cost setting 5, current default in htpasswd for
                   bcrypt)
   bcrypt8:    66 (cost setting 8, a common value for use
                   of bcrypt in /etc/passwd)

If the validation has to be done once per request, it severely limits 
the web server's performance.

Of course with form based auth, this is much less of a problem than 
with basic auth, because the password has only to be validated during 
login. But I would still like to have a viable and secure solution for 
basic auth.

Mime
View raw message