Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Password stretching - a way to mitigate CPU flood

Tags:

c#

security

passwords

I'm now using password stretching for all user account passwords throughout all my websites. In the db I store an iteration count and randomly assigned salt along with the final hash. I'm using SHA512 as the hash algorithm. I'm using C# in .Net 3.5 and 4.0 (dual framework library) for this.

For accounts that only ever get randomly assigned passwords (things like web service API users etc) I keep the iteration count down to a range such that a password check takes no more than 1 second or so. Over the years, according to whether or not these websites stick(!), I will look at increasing these ranges in alignment with CPU power.

For accounts where the user might be choosing the password themselves, I have cranked up the iteration count so a login can take around 5 seconds while the iterations are carried out.

So I'm happy with the security of my passwords; but now I have another problem - I can flood an 8 core cpu with 100% usage for 5 seconds if I get 8 different people to login at once!

My current solution to this is to have an iteration threshold: If a stretch operation exceeds this, I push it on to a queue that is handled by a single thread. I could extend this further so that it uses at most half the processors in the machine.

Is there anything better I can do? Have you implemented this pattern for password storage and logon - what did you do?

like image 452
Andras Zoltan Avatar asked Jan 19 '23 13:01

Andras Zoltan

1 Answers

The idea of password stretching is to have the attacker do the heavy work:

When a client wants to log in, the server presents a challenge. The client performs the resource-intensive calculations and sends a response to the server. The server should be able to determine whether the response is valid or not with very few resources.

Because it's the client that's doing the heavy work and the client requires a new challenge for each attempt to log in, brute-forcing all possible password combinations becomes (hopefully) too expensive for an attacker.

Have a look at the Salted Challenge Response Authentication Mechanism (SCRAM).

like image 99
dtb Avatar answered Jan 29 '23 09:01

dtb
Sign in to Comment

Related questions

How do I dynamically embed a winform subform into the tab control of a main winform?
'DataSource' property cannot be set declaratively
C# Utility functionality Static Method / Static Class / Singleton pattern
How to access external .config files?
Count the number of characters and words in Array
iTextSharp PDF printing
linq to entities orderby
how to get index of the last selected row from a selection of rows in a DataGridView
WebDriver can find element using xpath, Html Agility Pack cannot
webBrowser.Navigate synchronously
Debug Managed and Unmanaged code together
C# Regular Expression: {4} and more then 4 values possible
Can I use multiple BackgroundWorker's in a synchronous way in WPF?
Get a list of files in a Solution/Project using DXCore console application
Byte array marshaling for PostMessage
LINQ to SQL "aggregating" property
Regex to match the path before the resource from a URL
Reading two inputs from the user
Is casting an IEnumerable to an ArrayList O(N) or O(1)?
Does WPF have a "static box" control?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!