Slow Registration Issue

[milo-trujillo]

Registration of new accounts is very, very slow. It's slow enough that some users cannot register accounts, because their browser returns a "Service Unavailable" error prematurely.

Here's the technical problem:

• We store usernames as salted bcrypt hashes, with a different salt for each username
• Checking whether a username exists therefore requires calculating a hash for each existing user to compare usernames (An O(n) comparison)
• Registering a new user therefore requires calculating 2300+ bcrypt hashes, which is exceedingly slow

We can avoid the problem by using the same salt for all future accounts, reducing lookup times from O(n) to O(1). This technically sacrifices some anonymity, in that it will now be easier for an attacker that's stolen our login database to brute force usernames.

My questions:

1. Do we find this degree of anonymity loss acceptable?
2. If using the same salt is acceptable, how do we transition the database so registration is snappy?

Feedback from the community would be greatly appreciated.

[milo-trujillo]

Fixed on the 1.4 branch, and pushed to the live server.

I switched to using salted SHA256 hashes for the usernames, reducing lookup to O(1), and fall back to the legacy login database if a username isn't present in the new login table.

I also removed the requirement that usernames be unique, so looking in the legacy database is not required for new user registration. This means user lookups are only extremely slow if a non-existent user attempts to mark or unmark a camera, which is acceptable behavior.