|
|
|
|
|
|
by billpg
3005 days ago
|
|
|
Suppose I develop a website that uses basic authentication. Because this is 2018, I store my user's passwords using bcrypt/scrypt/PBKDF2/et al. Every single request supplies the claimed password in the clear (wrapped in HTTPS) so I would need to run the long hashing process for every single request. I could maybe cache those clear-passwords that I know are good in memory, but that's getting dangerously close to storing user's passwords in the clear. Is there a good practice for using basic authentication without over burdening the server's CPU? |
|
|
Scale it by moving auth to it's own URL, so you can then load-balance it differently if needed (and can add more security like disallowing Javascript at all - via headers, etc)
But first, verify you are actually hitting CPU max because of bcrypt/scrypt/etc and not just because of crappy code or something.