All geek questions in one place

Best way to hash remember me token

I am trying to implement the function to remember me , following the recommendations given here: The final guide to website authentication based on forms a>, and here: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

It seems that the cookie token should be hashed if it is stored in the database (if the attacker has access to the database, unencrypted tokens look like a normal username / passwords allowing you to enter the website).

We are looking for a good hashing algorithm, I found this recommended method using bcrypt : https://stackoverflow.com/a/4648/

I tried this and found that with the number of proposed rounds (15) it leads to a very slow processing time (hash functions 2.3s + check 2.3 s on an Intel Core 2 Duo processor E8500 + 4 GB)

I know that hashing algorithms should be relatively slow in order to prevent attackers, but at this level it prevents users from using the website :)

Do you think that fewer rounds (e.g. 7, which reduces processing time to 10 ms + 10 ms) will be enough?

+6
source share
1 answer

Quoting The Ultimate Form-Based Authentication Guide :

DO NOT START THE STANDING FOLLOWING AGREEMENT (TOKEN) IN YOUR DATABASE, ONLY THIS IT IS! Login current is the equivalent of a password, so if an attacker gained access to your database, he could use tokens to log into any account, just as if they were a cleartext login-password combination. Therefore, use strong salt hashing (bcrypt / phpass) while maintaining constant input tokens .

I agree with the first bold sentence, but not the last.

If I'm not mistaken, the purpose of the strong salt hashing algorithm is that someone should not extract passwords based on the rainbow table.

But here the hashed string is not a password, but a random string . Therefore, it is rather unlikely that any rainbow table could receive any initially hashed string. I even suggest that I could just use a basic hash('sha256', $randomString) call hash('sha256', $randomString) for this, the goal was to have different values ​​for the token in the database and in the cookie.

+13
source

Source: https://habr.com/ru/post/903751/

More articles:


All Articles