How MembershipReboot stores passwords (2014)

by sakopov on 7/11/2015, 2:55 PM with 4 comments
  • by StavrosK on 7/11/2015, 6:07 PM

    This isn't that innovative, it's exactly what Django does by default.

    By the way, this:

    > And finally, MembershipReboot allows an application to require the user change their password periodically. This way user’s password can get updated with the current iteration count.

    is pretty horrible. Don't force the user to change their password. If you need to upgrade the iterations, just do it seamlessly the next time they authenticate.

  • by t0mas88 on 7/11/2015, 8:48 PM

    I stopped reading here:

    > To help determine the right iterations for your hardware I have an utility here.

    Everyone with just the slightest idea of how hashing and password cracking works should know that there is no such thing as "right number of iterations for your hardware" because the attacker would obviously have different hardware.

  • by ExpiredLink on 7/11/2015, 6:10 PM

    He doesn't store passwords - which would be a terrible idea.

  • by melle on 7/11/2015, 6:28 PM

    How is this different from bcrypt?