[lug] Application Password Security
georges at mhsoftware.com
Mon Jun 20 14:44:30 MDT 2016
I'm writing a password security update for some software. I'm going to a
BCrypt algorithm which uses a salt, and an iteration count to transform
the password. I would go to Argon2, but I'm just not seeing a Java
The software has historically had a feature that stops users from
re-using passwords by keeping a history. If the password database is
compromised, along with the password history, then I'm potentially
serving up not only their current password, but historical ones as well.
The question I'm struggling with is what's the bigger security risk?
Users re-using passwords, or my app keeping historical passwords.
Although I'm making it pretty expensive to generate a dictionary, it
still won't be impossible. I guess where I'm ending up is that the
chance of BCrypt password being compromised is lower than the risk of a
user cycling through the same (or small set) of passwords.
I would be interested in hearing what others think...
*MH Software, Inc.*
Voice: 303 438 9585
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the LUG