Password stretching - a way to mitigate CPU flood(密码拉伸 - 一种缓解 CPU 泛滥的方法)
问题描述
I'm now using password stretching for all user account passwords throughout all my websites. In the db I store an iteration count and randomly assigned salt along with the final hash. I'm using SHA512 as the hash algorithm. I'm using C# in .Net 3.5 and 4.0 (dual framework library) for this.
For accounts that only ever get randomly assigned passwords (things like web service API users etc) I keep the iteration count down to a range such that a password check takes no more than 1 second or so. Over the years, according to whether or not these websites stick(!), I will look at increasing these ranges in alignment with CPU power.
For accounts where the user might be choosing the password themselves, I have cranked up the iteration count so a login can take around 5 seconds while the iterations are carried out.
So I'm happy with the security of my passwords; but now I have another problem - I can flood an 8 core cpu with 100% usage for 5 seconds if I get 8 different people to login at once!
My current solution to this is to have an iteration threshold: If a stretch operation exceeds this, I push it on to a queue that is handled by a single thread. I could extend this further so that it uses at most half the processors in the machine.
Is there anything better I can do? Have you implemented this pattern for password storage and logon - what did you do?
The idea of password stretching is to have the attacker do the heavy work:
When a client wants to log in, the server presents a challenge. The client performs the resource-intensive calculations and sends a response to the server. The server should be able to determine whether the response is valid or not with very few resources.
Because it's the client that's doing the heavy work and the client requires a new challenge for each attempt to log in, brute-forcing all possible password combinations becomes (hopefully) too expensive for an attacker.
Have a look at the Salted Challenge Response Authentication Mechanism (SCRAM).
这篇关于密码拉伸 - 一种缓解 CPU 泛滥的方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:密码拉伸 - 一种缓解 CPU 泛滥的方法
- 良好实践:如何重用 .csproj 和 .sln 文件来为 CI 创建 2022-01-01
- C#MongoDB使用Builders查找派生对象 2022-09-04
- C# 中多线程网络服务器的模式 2022-01-01
- Web Api 中的 Swagger .netcore 3.1,使用 swagger UI 设置日期时间格式 2022-01-01
- WebMatrix WebSecurity PasswordSalt 2022-01-01
- 如何用自己压缩一个 IEnumerable 2022-01-01
- 带有服务/守护程序应用程序的 Microsoft Graph CSharp SDK 和 OneDrive for Business - 配额方面返回 null 2022-01-01
- 输入按键事件处理程序 2022-01-01
- MoreLinq maxBy vs LINQ max + where 2022-01-01
- 在哪里可以找到使用中的C#/XML文档注释的好例子? 2022-01-01
