play-authenticate icon indicating copy to clipboard operation
play-authenticate copied to clipboard

Published 20 hours ago verified publisher icon joscha

Re "You *SHOULD* provide your own implementation of this which implements your own security."

Open dan-lind opened this issue 8 years ago • 1 comments

Inside the UsernamePasswordAuthUser.class you can find the following snippets of code related to creating and checking password hashes:

    /**
     * You *SHOULD* provide your own implementation of this which implements your own security.
     */
    protected String createPassword(final String clearString) {
        return BCrypt.hashpw(clearString, BCrypt.gensalt());
    }

    /**
     * You *SHOULD* provide your own implementation of this which implements your own security.
     */
    public boolean checkPassword(final String hashed, final String candidate) {
        if(hashed == null || candidate == null) {
            return false;
        }
        return BCrypt.checkpw(candidate, hashed);
    }

Isn't this code already following best practices, e.g. the OWASP Password Storage Guidelines found here: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

What would be the main reasons to change this implementation?

dan-lind avatar Jul 08 '15 13:07 dan-lind

I think the main reason at least for this specific example using bcrypt would be to adapt the number of rounds for the bcrypt hashing function so that it fits your security needs and the available resources of your production environment. The following question and answers should give you a hint: http://security.stackexchange.com/questions/17207/recommended-of-rounds-for-bcrypt

albuch avatar Oct 12 '15 11:10 albuch