ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Taras Ledkov <tled...@gridgain.com>
Subject Re: Username/password authentication for thin clients
Date Thu, 18 Jan 2018 10:50:19 GMT
Password hashing algorithms of the popular vendors:

mysql: SHA-265, old-native-hash
postgres: MD5, DES, Extended DES, Blowfish-based
oracle: SHA-1

Some about "comparison" SHA-2 vs bcrypt [1]:

 > SHA-512 is a cryptographic hash while bcrypt is a password hash or 
PBKDF (password based key derivation function).

 > SHA-512 has been designed to be fast. You don't want any delays when 
validating a signature, for instance.
 > There is no reason for generic cryptographic hashes to be slow.

 > bcrypt on the other hand is a password hash that performs key 
strengthening on the input.
 > Basically it does this by slowing down the calculation so that 
attackers will have to spend
 > more resources to find the input by brute forcing or dictionary attacks.
 > The idea is that although the legit users - you in this case - will 
also be slowed down,
 > they are only slowed down once per password. However the attackers 
are slowed down for each try.
 > The legit user is of course much more likely to input the right 
password first.

 > Furthermore bcrypt also contains a salt as input, which can be used 
to avert rainbow table attacks.

Conclusion: bcrypt can provide more security but the popular vendors use 
SHA and even MD5 by default.

[1]. 
https://crypto.stackexchange.com/questions/46550/benchmark-differences-between-sha-512-and-bcrypt

On 18.01.2018 9:29, Vladimir Ozerov wrote:
> Taras,
>
> I think we need a comparison of available options and (possibly) analysis
> what other vendors use.
>
> On Tue, Jan 16, 2018 at 3:56 PM, Taras Ledkov <tledkov@gridgain.com> wrote:
>
>> What do you think about usage bcrypt [1], [2] to store encrypted password?
>>
>> [1] https://stackoverflow.com/questions/1561174/sha512-vs-blowfi
>> sh-and-bcrypt
>> [2] https://en.wikipedia.org/wiki/Bcrypt
>>
>>
>>
>> On 15.01.2018 11:19, Vladimir Ozerov wrote:
>>
>>> 2) Credentials will be stored in a form of [username + hash] [1]
>>>
>> --
>> Taras Ledkov
>> Mail-To: tledkov@gridgain.com
>>
>>

-- 
Taras Ledkov
Mail-To: tledkov@gridgain.com


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message