Not saying I want/need that for the moment, but you did ask for suggestions. And yes, the exact purpose of slow hashing is to make bruteforce attacks harder both with legit client attempts to authenticate, and when/if the user database is compromised. The latter might be a more valid reason to switch the algo used for storing password hashes. However, I also tend to think that anyone capable of an attack on SHA1 with proper(meaning something harder than masterkey/password/s.o.) passwords will probably find other means of attack and not bother bruteforcing so the benefit is questionable.
As for throughoutput, I suppose there are people doing hundreds of connection per minute, but my guess would be systems with such load would use connection pooling (if nothing else, to speed up the process) and won`t be starting that many completely new connections. 2015-07-27 15:40 GMT+03:00 Alex Peshkoff <peshk...@mail.ru>: > On 07/26/2015 10:00 PM, Ivan Arabadzhiev wrote: > > Personally, I've recently started using (mostly for kicks) things like > > https://en.wikipedia.org/wiki/Scrypt > > https://en.wikipedia.org/wiki/Bcrypt > > https://en.wikipedia.org/wiki/PBKDF2 > > I suppose the option to tune them in the future (or even introduce a > > configurable parameter) is also a plus. > > You may write authentication plugin using that things and use it in FB3, > no changes in the rest of firebird are required for it. > For people who do not need a lot of connections per second this may be > useful. > > > > ------------------------------------------------------------------------------ > Firebird-Devel mailing list, web interface at > https://lists.sourceforge.net/lists/listinfo/firebird-devel >
------------------------------------------------------------------------------
Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
