While we are at it - what would you suggest to be a most efficient solution on App Engine? Is bcrypt too heavy?
On Dec 30 2011, 9:10 am, "Brandon Wirtz" <[email protected]> wrote: > This was too much not to share. > > I was talking a company today that is using Password hashing to keep their > user's passwords "safe". They were using Bcrypt. > > Given the performance hit that using Bcrypt has I was surprised how many > users they were able to support on very few CPUs. > > "We have a Translation Table. Look ups are faster than calculating the hash, > so we check the look up table before we calculate the hash that we are going > to authenticate against." > > Pulling up the translation table gave the plain Text of every User and > Password in their system. Along with all of the old usernames and passwords > of those users. > > Apparently the idea was one the out sourced development company had > "Deployed to hundreds if not thousands" of sites, and "it had never been a > problem before". > > You can have the best locks on your doors, but if you leave the sliding > glass window open they aren't doing you any good. > > Brandon Wirtz > BlackWaterOps: President / Lead Mercenary > > Description:http://www.linkedin.com/img/signature/bg_slate_385x42.jpg > > Work: 510-992-6548 > Toll Free: 866-400-4536 > > IM: [email protected] (Google Talk) > Skype: drakegreene > > <http://www.blackwaterops.com/> BlackWater Ops > > image001.jpg > < 1KViewDownload -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
