ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Taras Ledkov <tled...@gridgain.com>
Subject Re: Username/password authentication for thin clients
Date Thu, 18 Jan 2018 10:50:19 GMT
Password hashing algorithms of the popular vendors:

mysql: SHA-265, old-native-hash
postgres: MD5, DES, Extended DES, Blowfish-based
oracle: SHA-1

Some about "comparison" SHA-2 vs bcrypt [1]:

 > SHA-512 is a cryptographic hash while bcrypt is a password hash or 
PBKDF (password based key derivation function).

 > SHA-512 has been designed to be fast. You don't want any delays when 
validating a signature, for instance.
 > There is no reason for generic cryptographic hashes to be slow.

 > bcrypt on the other hand is a password hash that performs key 
strengthening on the input.
 > Basically it does this by slowing down the calculation so that 
attackers will have to spend
 > more resources to find the input by brute forcing or dictionary attacks.
 > The idea is that although the legit users - you in this case - will 
also be slowed down,
 > they are only slowed down once per password. However the attackers 
are slowed down for each try.
 > The legit user is of course much more likely to input the right 
password first.

 > Furthermore bcrypt also contains a salt as input, which can be used 
to avert rainbow table attacks.

Conclusion: bcrypt can provide more security but the popular vendors use 
SHA and even MD5 by default.


On 18.01.2018 9:29, Vladimir Ozerov wrote:
> Taras,
> I think we need a comparison of available options and (possibly) analysis
> what other vendors use.
> On Tue, Jan 16, 2018 at 3:56 PM, Taras Ledkov <tledkov@gridgain.com> wrote:
>> What do you think about usage bcrypt [1], [2] to store encrypted password?
>> [1] https://stackoverflow.com/questions/1561174/sha512-vs-blowfi
>> sh-and-bcrypt
>> [2] https://en.wikipedia.org/wiki/Bcrypt
>> On 15.01.2018 11:19, Vladimir Ozerov wrote:
>>> 2) Credentials will be stored in a form of [username + hash] [1]
>> --
>> Taras Ledkov
>> Mail-To: tledkov@gridgain.com

Taras Ledkov
Mail-To: tledkov@gridgain.com

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message