How to resolve password hash complexity with HTTP basic auth?

 

Password hashes are stored as PBKDF2 with 512bits with 16384 rounds. This takes its time on my small server. Users are authorized with HTTP basic auth over SSL/TLS. With this setup every request requires to calculate the hash which puts a load on the server.

Current solution: After the first successful login I store a session cookie at client.

Pro: Minimal complexity that reduces time for hash calculation, still works for clients that do not store cookies

Cons: Clients that do not accepts cookies still create load.

Other ways to mitigate: - Weaken password hash (doesn't feel right) - Implement own/other authentication instead of basic auth (which one? adds complexity)

Priorities: Security first, access to administration/monitoring is to be secured. Then server load.

How to mitigate password hashing load? How to not sacrifice security? Is there an alternative to authentication without a secured channel (shared secret)?

Current solution: After the first successful login I store a session cookie at client.

This is the typical solution—either using actual stored sessions, or a signed user+timestamp token (HMAC being faster to verify than bcrypt).

It also solves the problem of HTTP Auth only being sent for pages under the same directory path as the first page that requested auth, and of the crazy browsers that don't re-send auth headers until prompted with 401 for every single request.

Cons: Clients that do not accepts cookies still create load.

Clients that don't accept cookies at all are relative rare and will break for almost all other sites that require a login, so for the common case you should generally be OK.

Implement own/other authentication instead of basic auth (which one? adds complexity)

If you are determined not to rely on cookies, the only other mechanisms I can think of with native browser support are Digest Auth (doesn't really solve the problem as it is still password-based) and HTTPS client certificates (may be an acceptable/convenient option depending on who your userbase are).

链接地址: http://www.djcxy.com/p/3678.html

上一篇: 在缓存中安全地存储密码哈希

下一篇: 如何通过HTTP基本身份验证解决密码哈希复杂性?