Jump to content
Please Use CODE Tags

Websites which knows your new password is similar to your old one

Rakanoth
By Rakanoth
in Programming
 Share
Posted
9 minutes ago, reniat said:

talk to a security team if you have one to make sure they are on board

That the position I'm moving into but I can always run it past my CTO

 

9 minutes ago, reniat said:

profile and benchmark your current login to make sure you don't add too much time between input and response (it really shouldn't be an issue, but always measure before/after)

This is something I'll be doing as I'll be leading the lead in creating our apis in aws lambda and I do think things fast.

 

9 minutes ago, reniat said:

I would definitely avoid extracting the salt from the hash, and just store it in another column at the time when the new password is chosen like you would if you weren't using bcrypt. 

This is my main considered just now but I need to work on my back log before I get the play with new things :(

 

we are also moving to aws cognito for handling our auth, means we can break all our front ends into s3 and back ends will be all lambdas.

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
12 minutes ago, KuJoe said:

I personally hate it when I see a DB dump with a field named 'salt', but that might just be me. :)

Again, as long as the salt isn't leaked ahead of a breach, the attacker doesn't gain much for having the salt + password hash. The only way the attacker benefits from knowing a salt is if they get it, but not the password hash, and have time to build a rainbow table so that if they DO get the hash they might have it pre-computed. If there is a breach and they get hashed passwords, learning the salt at the exact same time really won't make much difference except for the added length, and that's it. Plus if there's a breach, it's likely that if they can get your password hashes they can probably get your salts anyway.

 

EDIT: it's like hiding your car radio in your glove box every time you park. Sure it's technically an extra security step, but if they are already in your car they can probably get into the glovebox and you're just adding extra work for yourself.

Gaming build:

CPU: i7-7700k (5.0ghz, 1.312v)

GPU(s): Asus Strix 1080ti OC (~2063mhz)

Memory: 32GB (4x8) DDR4 G.Skill TridentZ RGB 3000mhz

Motherboard: Asus Prime z270-AR

PSU: Seasonic Prime Titanium 850W

Cooler: Custom water loop (420mm rad + 360mm rad)

Case: Be quiet! Dark base pro 900 (silver)
Primary storage: Samsung 960 evo m.2 SSD (500gb)

Secondary storage: Samsung 850 evo SSD (250gb)

 

Server build:

OS: Ubuntu server 16.04 LTS (though will probably upgrade to 17.04 for better ryzen support)

CPU: Ryzen R7 1700x

Memory: Ballistix Sport LT 16GB

Motherboard: Asrock B350 m4 pro

PSU: Corsair CX550M

Cooler: Cooler master hyper 212 evo

Storage: 2TB WD Red x1, 128gb OCZ SSD for OS

Case: HAF 932 adv

 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×