Timeline for Can I initially hash passwords with SHA instead of hashing them with bcrypt to decouple requests from slow crypto functions?
Current License: CC BY-SA 3.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Mar 17, 2017 at 13:21 | history | edited | CommunityBot | replaced http://security.stackexchange.com/ with https://security.stackexchange.com/ | |
| May 6, 2015 at 13:39 | vote | accept | ElectricSignal | ||
| May 6, 2015 at 1:58 | comment | added | Arran Schlosberg | I agree with Neil's overall premise of not reinventing the wheel (particularly so in security). In the intermediate step you appear to be countering a reduced work factor (fewer bcrypt rounds) with ephemeral storage (less time for compromise). If for whatever reason you insist on having the very high aggregate bcrypt rounds (i.e. beyond user tolerance) then at least (i) use a truly ephemeral queue storage mechanism (e.g. Memcache with encrypted swap), and (ii) replace SHA with bcrypt at fewer rounds (to be "topped up" later). | |
| May 5, 2015 at 19:31 | history | edited | Neil Smithline | CC BY-SA 3.0 | explained why I don't like proposed solution |
| May 5, 2015 at 18:08 | comment | added | ElectricSignal | I should add I don't mind the slowness on verification, only when hashing. I added a diagram to show a possible workflow. | |
| May 5, 2015 at 17:39 | history | answered | Neil Smithline | CC BY-SA 3.0 |