Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make BCrypt costs dynamic #55

Open
Akron opened this issue Jan 24, 2020 · 1 comment
Open

Make BCrypt costs dynamic #55

Akron opened this issue Jan 24, 2020 · 1 comment

Comments

@Akron
Copy link
Member

Akron commented Jan 24, 2020

Currently a BCrypt implementation is used to store long-term client secrets for OAuth. This uses a fixed cost factor (security.encryption.loadFactor) with a fixed salt (security.passcode.salt), that can be adjusted in the configuration - but is not stored per client secret and thus not adjustable (to the best of my understanding).
I would suggest to make

  1. the salt random per password
  2. the cost dynamic, so that global changes to the cost should lead to rehashing client secrets hashed with different costs on usage.
@Akron
Copy link
Member Author

Akron commented Jan 24, 2020

Update: It seems that salt+cost is actually stored per client secret. But it's not random per password, as long as security.passcode.salt is set. And it's not updated with an updated cost factor.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Akron