|
|
|
|
|
|
by wnight
5359 days ago
|
|
|
Is that specifically to inconvenience someone who would break in, steal your password list, and crack it offline? If not, what was the design goal? If slowing down web login attempts isn't part of it, why not get a dedicated auth server and offload the crypt stuff onto it? And if it is the goal, you could use CPU-friendly sleeps on the front-end to give increasing delays to the repeated guesser. |
|
|
Probably: http://codahale.com/how-to-safely-store-a-password/
Hashing functions designed for speed are absolutely the wrong thing for passwords.