0
votes

We're using bcrypt to hash the users' passwords, and we store a list of the last 10 hashes to make sure they don't use the same password as the last 10 when they create a new one.

One issue we're running into is that checking the password history is a very slow process. The algorithm goes something like this:

// The user's entered password on the password change page
String rawPassword = ...

// For demonstration purposes, the password has passed all other validation measures
Boolean passwordIsValid = true;

// Loop through all the stored passwords we have for that user. We have a max of 10
for (String oldHashed: user.passwordHashHistory) {

    // Must re-hash every time using the same salt as the one stored in history
    // NOTE: SLLOOOWWWWW!
    String newHashed = Bcrypt.hashPw(rawPassword, oldHashed);

    // Now we can see if it's a match
    if (newHashed.compareTo(oldHashed) == 0) {
        // User is using one of the old passwords
        passwordIsValid = false;
    }
}

The above code works, but it can take 5-6 seconds on my workstation for one user to validate his password is changed. Can I do anything to mitigate this short of reducing the log rounds or beefing up the server?

1

1 Answers

1
votes

The BCrypt algorithm was designed precisely to be slow, with the cost factor you can determine how much time is needed to calculate a password hash. This "slowness" is the only way to thwart brute-force attacks.

If there was a way to speed up this process, an attacker would surely make use of it. So no there is no way to make short cuts here.