最佳bcrypt工作因子 [英] Optimal bcrypt work factor

问题描述

对于密码哈希而言，理想的bcrypt工作因素是什么.

What would be an ideal bcrypt work factor for password hashing.

如果我使用10的因数，则散列笔记本电脑上的密码大约需要0.1秒.如果我们的站点非常繁忙，那么仅检查人们的密码就需要进行大量工作.

If I use a factor of 10, it takes approx .1s to hash a password on my laptop. If we end up with a very busy site, that turns into a good deal of work just checking people's passwords.

使用7的工作因子可能会更好，将每台笔记本电脑登录的总密码哈希工作减少到大约.01s?

Perhaps it would be better to use a work factor of 7, reducing the total password hash work to about .01s per laptop-login?

您如何确定暴力安全性和运营成本之间的权衡?

How do you decide the tradeoff between brute force safety and operational cost?

推荐答案

请记住，该值存储在密码$2a$(2 chars work)$(22 chars salt)(31 chars hash)中.这不是固定值.

Remember that the value is stored in the password: $2a$(2 chars work)$(22 chars salt)(31 chars hash). It is not a fixed value.

如果您发现负载太高，只需进行设置即可，以便下次他们登录时，您可以加密到更快的速度来进行计算.同样，随着时间的流逝，您将获得更好的服务器，如果负载不是问题，则可以在其登录时提升其哈希强度.

If you find the load is too high, just make it so the next time they log in, you crypt to something faster to compute. Similarly, as time goes on and you get better servers, if load isn't an issue, you can upgrade the strength of their hash when they log in.

诀窍是让它与摩尔定律一起在未来永远占据大致相同的时间. 该数字为log2，因此每次计算机速度加倍时，请将默认数字加1.

The trick is to keep it taking roughly the same amount of time forever into the future along with Moore's Law. The number is log2, so every time computers double in speed, add 1 to the default number.

确定暴力破解用户密码所需的时间.例如，对于某些常见的词典单词，您的帐户创建可能已经警告他们密码不正确.举例来说，如果它是1000个常用词之一，并且攻击者测试每个词需要0.1秒钟，那么他们将购买100个常用词(好吧，有些单词更常见...).如果用户选择通用词典词" + 2个数字，则超过两个小时.如果您的密码数据库遭到破坏，并且攻击者每天只能获得几百个密码，则您已花了数小时或数天的时间购买了大部分用户，以安全地更改其密码.这是为他们争取时间的问题.

Decide how long you want it to take to brute force a user's password. For some common dictionary word, for instance, your account creation probably already warned them their password was weak. If it's one of 1000 common words, say, and it takes an attacker 0.1s to test each, that buys them 100s (well, some words are more common...). If a user chose 'common dictionary word' + 2 numbers, that's over two hours. If your password database is compromised, and the attacker can only get a few hundred passwords a day, you've bought most of your users hours or days to safely change their passwords. It's a matter of buying them time.

http://www.postgresql.org/docs/8.3/static/pgcrypto.html 有很多时间可以破解密码供您考虑.当然，他们列出的密码是随机字母.词典单词...实际上，您无法保存密码为12345的家伙.

http://www.postgresql.org/docs/8.3/static/pgcrypto.html has some times for cracking passwords for you to consider. Of course, the passwords they list there are random letters. Dictionary words... Practically speaking you can't save the guy whose password is 12345.

这篇关于最佳bcrypt工作因子的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！