|
|
|
|
|
|
by Someone1234
4086 days ago
|
|
|
If someone has an active compromise on a running machine, they can intercept network traffic and bypass bcrypt completely. > In other words, it's only 2% slower to use 15 rounds than it is 5, and the default (10) is less than 1% slower. So are you arguing that your complaint is petty or isn't? Because this isn't helping your case. Overall your attack scenario is where an attacker has just enough access to the machine to read memory in the redis database, but not enough access to read memory in the web-server, or at the point before bcrypt has been run in the process. If redis was stored to disk you may have a valid point. As it stands your argument actually doesn't make sense. If they can access Redis they can access pre-bcrypt passwords and therefore making bcrypt's rounds completely unimportant. |
|
|
No. The unhashed passwords are not stored in redis. What I think you're missing is that there's a significant difficulty gap between connecting to, and reading data from, redis compared to gaining root access and reading arbitrary memory on the server.
> So are you arguing that your complaint is petty or isn't? Because this isn't helping your case.
You make a good point - even if it's not the one you were trying to make - and that it's that my benchmark was not particularly helpful as it measured per operation, not per hash.
You missed the point I was really trying to make, though, which is that difference between 5 rounds and 15 (your choice, not mine - I probably wouldn't choose 15) isn't that significant when you're doing legitimate stuff, like hashing chatroom passwords. It is significant if you're brute-forcing.