We're using bcrypt to hash the users' passwords, and we store a list of the last 10 hashes to make sure they don't use the same password as the last 10 when they create a new one.
One issue we're running into is that checking the password history is a very slow process. The algorithm goes something like this:
// The user's entered password on the password change page
String rawPassword = ...
// For demonstration purposes, the password has passed all other validation measures
Boolean passwordIsValid = true;
// Loop through all the stored passwords we have for that user. We have a max of 10
for (String oldHashed: user.passwordHashHistory) {
// Must re-hash every time using the same salt as the one stored in history
// NOTE: SLLOOOWWWWW!
String newHashed = Bcrypt.hashPw(rawPassword, oldHashed);
// Now we can see if it's a match
if (newHashed.compareTo(oldHashed) == 0) {
// User is using one of the old passwords
passwordIsValid = false;
}
}
The above code works, but it can take 5-6 seconds on my workstation for one user to validate his password is changed. Can I do anything to mitigate this short of reducing the log rounds or beefing up the server?