Default number of iterations seems extreme

ericelliott / credential

Easy password hashing and verification in Node. Protects against brute force, rainbow tables, and timing attacks.

MIT License

348 stars 28 forks source link

Default number of iterations seems extreme #80

Closed danderson00 closed 6 years ago

danderson00 commented 6 years ago

With default configuration, we are observing that the number of iterations is around 480000, causing the hashing process to take around 2 seconds on a high spec development machine. This has a few consequences - aside from slow login, integration test suites are very slow, and it is foreseeable that it could cause performance issues in production.

Is this by design?

The recommendation from our security team is to tune it so it takes roughly 0.5 seconds.

ericelliott commented 6 years ago

This is by design, and should actually be about quadruple that now to stay ahead of advancements in botnet firepower.

I strongly recommend that your app and your credential systems run on two different app instances. Even better, delegate credential management to a third-party service with specialized expertise in security.

Basically, if you don't have the resources to keep ahead of the hackers using 90,000 node botnets to crack passwords, you shouldn't be in the business of credential management. It's not safe.

danderson00 commented 6 years ago

No worries, many thanks for the response! We've configured testing to use a smaller workload to ensure it is not too slow for now, and we'll definitely look at using an authentication provider.

Thanks again.