Closed milo-trujillo closed 6 years ago
Fixed on the 1.4 branch, and pushed to the live server.
I switched to using salted SHA256 hashes for the usernames, reducing lookup to O(1)
, and fall back to the legacy login database if a username isn't present in the new login table.
I also removed the requirement that usernames be unique, so looking in the legacy database is not required for new user registration. This means user lookups are only extremely slow if a non-existent user attempts to mark or unmark a camera, which is acceptable behavior.
Registration of new accounts is very, very slow. It's slow enough that some users cannot register accounts, because their browser returns a "Service Unavailable" error prematurely.
Here's the technical problem:
O(n)
comparison)We can avoid the problem by using the same salt for all future accounts, reducing lookup times from
O(n)
toO(1)
. This technically sacrifices some anonymity, in that it will now be easier for an attacker that's stolen our login database to brute force usernames.My questions:
Feedback from the community would be greatly appreciated.