Spring Security
  1. Spring Security
  2. SEC-1389

Add "iterations" property to password encoders

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.2
    • Component/s: Core
    • Labels:
      None

      Activity

      Hide
      Luke Taylor added a comment -

      Added to BaseDigestPasswordEncoder.

      Show
      Luke Taylor added a comment - Added to BaseDigestPasswordEncoder.
      Hide
      Jared Stehler added a comment -

      Forgive my naivety, but I read the wiki page as saying that the key strengthening principle is applicable at the client side, to increase the processing time required to generate a password hash, so that brute force attackers need to expend more CPU resources to generate each guess, thereby also increasing time-between-guesses. Unless passwordEncoders are used in the client side, all this change does is increase server load, especially during brute force attacks.

      From http://en.wikipedia.org/wiki/Key_strengthening:

      "If the attacker uses the same class of hardware as the user, each guess will take the same amount of time it took the user (for example, one second). Even if the attacker might have much greater computing resources than the user, the key strengthening will still slow him down. The user only has to compute the strengthening function once to use his known password, but the attacker must compute it for each guess in his attack."

      Show
      Jared Stehler added a comment - Forgive my naivety, but I read the wiki page as saying that the key strengthening principle is applicable at the client side, to increase the processing time required to generate a password hash, so that brute force attackers need to expend more CPU resources to generate each guess, thereby also increasing time-between-guesses. Unless passwordEncoders are used in the client side, all this change does is increase server load, especially during brute force attacks. From http://en.wikipedia.org/wiki/Key_strengthening: "If the attacker uses the same class of hardware as the user, each guess will take the same amount of time it took the user (for example, one second). Even if the attacker might have much greater computing resources than the user, the key strengthening will still slow him down. The user only has to compute the strengthening function once to use his known password, but the attacker must compute it for each guess in his attack."

        People

        • Assignee:
          Luke Taylor
          Reporter:
          Luke Taylor
        • Votes:
          0 Vote for this issue
          Watchers:
          1 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved: