security - Java: Is this good use of BCrypt? -


i know if current implementation of bcrypt correct, aware not using bcrypt.checkpw() may lead issue main reason verify here.

hasher.java container class:

abstract public class hasher {     public static string hash(final char[] input) {            string output = hasher.hash(new string(input));         (int = 0; < input.length; i++) {             input[i] = 0;         }         return output;     }      public static string hash(final string input) {         return bcrypt.hashpw(input, bcrypt.gensalt());     } }

one concern here: jpasswordfield gives me char[] security reasons, bcrypt.hashpw() accepts strings. how can avoid string floating around in memory?

the client implementation of logging in:

string hashedpassword = hasher.hash(password); network.getinstance().send("login " + username + " " + hashedpassword);

so hash gets sent on network, network not encrypted plan on adding that.

the server implementation on account creation:

public static account createaccount(final string username, final string password) {     string hashedpassword = hasher.hash(password.tochararray());     return new account(username, hashedpassword); }

the server implementation of checking password:

public boolean checkpassword(final string hashedpassword) {     return this.hashedpassword.equals(hashedpassword); }

with this.hashedpassword being hash in server's memory (which comes database on bootup).

properties of setup:

  • logging in takes client significant time, password hashed there.
  • creating account/changing password takes server significant time, password hashed on server then.
  • validating login attempts takes server practically no time, no hashing needs done.
  • if gets hold of database containing hashes, take him significant time crack password per account.
  • i still need figure out work factor bcrypt.gensalt().

please verify assumptions.

regards.

there couple problems setup.

1) salt should value randomly generated during hashing process (as seems in implementation. since client not have access database of stored hashes, client not know salt use when creating login hash.

2) implementation not checking password passed client, it's checking password hash passed client. means if gets database of hashes, can use hashes login. not need crack them extract passwords, since not check passwords.

both these issues can solved moving hashing server side.

update

regarding issues mentioned.

1) if have intention of creating secure system, should using ssl/tls. sending password hashes in clear totally insecure sending passwords in clear. both terrible idea. use https.

2) performing server side hashing pretty ordinary practice. hashing process computationally expensive enough make exhaustive search impractical, shouldn't hinder authentication workflow. if you're concerned being dosed, keep track of how many times given user has tried login in last n seconds. if they've failed number of times, lock account.


Comments

Post a Comment

Popular posts from this blog

SPSS keyboard combination alters encoding -

my question not have programming practical issue on spss. accident keyword combination cannot remember because did not intend press changed encoding in spss , text in data in different language english shown small boxes. nevertheless, when kind of analysis performed different language text shown in output. does know reason? tried change encoding did not produce result. first, @ edit > options , see whether setting unicode or locale. might fix it. if have text in multiple languages, want unicode. otherwise, may have specific locale set wrong. can change set locale, need know locale want use.
Read more

Add new record to the table by click on the button in Microsoft Access -

in ms access form want implement separate button, adds new record table. in order added button , attached button event: private sub btnaddrec_click() refresh codecontextobject on error resume next docmd.gotorecord , , acnewrec if err.number <> 0 btnaddrec.enabled = false end if end end sub everything ok when open window , click btnaddrec button, problem when first of perform navigation through existed records , after click on button. got runtime error: 2105: «you can't go specified record. may @ end of recordset» . how solve issue, need have ability add new record on click on specific button, no matter, have walked or not walked through records before. thanks. i created simple form field call description (and autonumber) , created button code follows click event. filled number of records , navigated through them, clicked addnewrec button. form navigated new record without issues. able click addnewrec button directly after
Read more

javascript - jQuery .height() return 0 when visible but non-0 when hidden -

i have problem here right opposite others: in jquery cannot height of element when it's visible, when hidden. have html code: <div id="filtering-filter-holder"> <div id="filtering-filter-holder-inner"></div> </div> basic css it: #filtering-filter-holder { display: none; position: absolute; width: 420px; min-height: 100px; padding: 5px 5px 5px 5px; background-color: #ffffff; border: 1px solid #164372; } and finally, js in document.ready(): $('div.filtering-filter-headline').mouseenter(function() { var el = $(this).parent().find('div.filtering-filter-content'); if ($('div#filtering-filter-holder').is(':visible')) { $('div#filtering-filter-holder-inner').stop(true, true).fadeout(300, function() { $('div#filtering-filter-holder-inner').html($(el).html()); var height = $('div#filtering-filter-holder-inner&#
Read more