Hi Brandon, What you say is fine if your threat model only includes "script kiddies" who don't have your source code. If either of those is not true - you have an adversary with some level of independent skill, or your source code is compromised - any method that relies on obscurity for its security will fare very poorly.
One thing to bear in mind is that if your app is ever compromised, your password database and/or source may be posted publicly; at that point, you no longer have to worry about just the initial attacker, but anyone with sufficient motivation. Of course, using federated login like OpenID or the Users API obviates the need to store passwords at all, making it Someone Else's Problem. :) -Nick On Tue, Nov 15, 2011 at 1:07 PM, Brandon Wirtz <drak...@digerat.com> wrote: > If I know your salt, I can “De-Hash” bcrypts faster than I can any of the > “weird” combinations. Because there are libraries for doing so on ATI cards. > **** > > ** ** > > If you do something weird a script kiddie can’t just pull code off the web > and attack it. **** > > ** ** > > You want to see who can offline crack a set of 1M users? Your bcrypt list > vs my “Weird” You don’t even have to give me the salt I’ll have 10k of > those cracked in the first 72 hours. 10 to 1 odds you won’t get through > mine without my source code in my life time.**** > > ** ** > > -Brandon Wirtz**** > > ** ** > > PS > I don’t usually do the “trust me I’m far more evil” but FBI, Homeland > Security, and the CIA have been to my doorstep for things I have defeated, > documented, or built to keep from being defeated. The first time I was in 3 > rd grade.**** > > ** ** > > *From:* google-appengine@googlegroups.com [mailto: > google-appengine@googlegroups.com] *On Behalf Of *Nick Johnson > *Sent:* Monday, November 14, 2011 3:56 PM > > *To:* google-appengine@googlegroups.com > *Subject:* Re: [google-appengine] Help resolve massive performance > regression in 2.7 vs 2.5 runtime**** > > ** ** > > No! Please, please don't do this. Obscurity is no substitute for security. > **** > > ** ** > > 1) Bcrypt or similar is not 'overkill' no matter who you are. Users reuse > passwords, and they're entitled to the best protection you can reasonably > provide them.**** > > 2) Bcrypt is not there to protect against online attacks, it's there to > protect against offline attacks, where an attacker obtains your hashed and > salted passwords.**** > > 3) Doing "something weird" is security through obscurity. Do not base your > security on your attacker not knowing what you did. Really, really don't > just concatenate salts to the beginning or end of the password.**** > > 4) Both MD5 and SHA1 are merkle-damgard construction hashes ( > http://en.wikipedia.org/wiki/Merkle%E2%80%93Damg%C3%A5rd_construction). > As a result, the concatenation of several hashes is no more secure than the > most secure of the individual hashes.**** > > ** ** > > -Nick Johnson**** > > ** ** > > On Sun, Nov 13, 2011 at 2:58 PM, Brandon Wirtz <drak...@digerat.com> > wrote:**** > > Unless you are protecting Medical records bcrypt is overkill if you do some > reasonably smart things like "Failed logins from IP >9" > > Or, if you just do something weird to the password BEFORE you SHA it. Like > interleave the user name in the password, Salt1 + UpSaEsRsNwAoMrEd + Salt2 > > Or Pick 2 Hash's SHA(pass) + Md5(pass) > > Don't want to store all that string length? Odd Characters from > Sha(Pass+salt) + Even Characters from MD5(Pass+Salt) > > Uniqueness of the method is more important than the method. > > > > -----Original Message----- > From: google-appengine@googlegroups.com > [mailto:google-appengine@googlegroups.com] On Behalf Of Brian Quinlan > Sent: Saturday, November 12, 2011 6:58 PM > To: google-appengine@googlegroups.com > Subject: Re: [google-appengine] Help resolve massive performance regression > in 2.7 vs 2.5 runtime**** > > > Hi Pol, > > On Sun, Nov 13, 2011 at 1:48 PM, Pol <p...@everpix.net> wrote: > > Hi, > > > > Since switching to 2.7 runtime, logging in to http://www.everpix.com > > went from about a second to anywhere from 15s to 60s. I tracked it > > down to this single password checking line: > > > > from bcrypt import bcrypt > > bcrypt.hashpw(password, self.password_hash) == self.password_hash > > What value are you using for "threadsafe" in your app.yaml? > > How large is self.password_hash? > > Cheers, > Brian > > > This comes from "a native Python implementation of the py-bcrypt > > package from http://www.mindrot.org/projects/py-bcrypt/"; grabbed from > > here: https://github.com/erlichmen/py-bcrypt. > > > > So what's happening here and how can we fix this? > > > > Thanks, > > > > - Pol > > > > -- > > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > > To post to this group, send email to google-appengine@googlegroups.com. > > To unsubscribe from this group, send email to > google-appengine+unsubscr...@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to google-appengine@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to google-appengine@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en.**** > > > > **** > > ** ** > > -- > Nick Johnson, Developer Programs Engineer, App Engine > > **** > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to google-appengine@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en.**** > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to google-appengine@googlegroups.com. > To unsubscribe from this group, send email to > google-appengine+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- Nick Johnson, Developer Programs Engineer, App Engine -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
