paulcsmith
commented
6 years ago Thank you for opening this. I thought 10 was the default in Crystal, but it turns out it is 11: https://crystal-lang.org/api/0.24.2/Crypto/Bcrypt.html
I’d like to stick with crystals default because they’ve researched the cost more than I have. As a bonus, if performance improve and they decide to change it it changes in authentic as well. So I’ll make a PR to use the DEFAULT_COST const instead of 10. Unless you’d like to open a PR for that. If you do, LMK :)
In the meantime there is a workaround. As you probably know (but I’ll leave here for future reference) since authentic uses habitat you’re free to increase the cost to 14 or use an ENV bar by changing the configuration in your app:
Authentic.configure do settings.encryption_cost = 14 end
On my phone so pardon any typos.
On Apr 26, 2018, at 6:06 AM, Ian Purton notifications@github.com wrote:
I would recommend you start with a higher costs than this, Crystal should be pretty fast so perhaps 14?
Or even better
setting encryption_cost : Int32 = ENV['BCRYPT_ENCRYPTION_COST'].to_i || 14 If an attacker gets the database they will run through known passwords to open up each underlying bcrypted password. The cost is meant to slow down this attack.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
https://github.com/luckyframework/authentic/blob/5786d59144ee0c8c1da38485de16c7522e805183/src/authentic.cr#L34
I would recommend you start with a higher costs than this, Crystal should be pretty fast so perhaps 14?
source https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256/3993#3993
Or even better
If an attacker gets the database they will run through known passwords to open up each underlying bcrypted password. The cost is meant to slow down this attack.