WAMP CRA more safe with bcrypt?

#1

Hi,

sorry for flooding the group with messages but I have been trying to post a topic yesterday twice but this got lost so I changed the account to see if there might be a problem with it.

However, here’s my post:

I have been reading a great article about Storing User Passwords Securely: hashing, salting, and Bcrypt in which the author says that using bcrypt as the main password hashing method is safer than for example using sha-based password hashing methods since it is slower, making it harder (or more time consuming) to perform hardware-based database attacking.

The author points out that this is due to the repeating-nature of the bcrypt function. I have taken a look at the WAMP-CRA authentication methods and it seems like this is using a self-implemented variant of PBKDF hashing.

My question is, how safe is this compared to the bcrypt-version? Would switching to bcrypt improve security against attacks?

0 Likes

#2

Hi Simon,

replacing sha256 with bcrypt doesn't make a significant difference in my view. But see

https://github.com/wamp-proto/wamp-proto/issues/164

A bigger step would be

https://github.com/wamp-proto/wamp-proto/issues/135

But all that is less good than WAMP-cryptosign - this is the way forward.

Cheers,
/Tobias

···

Am 09.08.2016 um 09:52 schrieb Simon Kemper:

Hi,

sorry for flooding the group with messages but I have been trying to post a
topic yesterday twice but this got lost so I changed the account to see if
there might be a problem with it.

However, here's my post:

I have been reading a great article about Storing User Passwords Securely:
hashing, salting, and Bcrypt
<http://dustwell.com/how-to-handle-passwords-bcrypt.html> in which the
author says that using bcrypt as the main password hashing method is safer
than for example using sha-based password hashing methods since it is
slower, making it harder (or more time consuming) to perform hardware-based
database attacking.

The author points out that this is due to the repeating-nature of the
bcrypt function. I have taken a look at the WAMP-CRA authentication methods
and it seems like this is using a self-implemented variant of PBKDF hashing.

My question is, how safe is this compared to the bcrypt-version? Would
switching to bcrypt improve security against attacks?

0 Likes