Securely Storing Password Hashes in Cache

I am making a back-end server as a personal project. Currently, when someone registers, their password is hashed with Bcrypt, and saved in the database. However, querying the database every-time I need to verify that the request came from the authenticated user seems to be too much. As a result, I began to wonder about caching these in the server's memory. I assume that it is unsafe to store an un-hashed password in this memory. What is the most secure way to implement this? I could cache the Bcrypte'd copy of the passwords, and then just verify that the user's password matches the cached Bcrypt copy, but if I can I would like to use bcrypt as little as possible too. I assume that storing a password and its Bcrypt'd version in the cache together, even if not linked to a username, is a bad idea. Is there anything else I can do while keeping security + performance in mind?

---

Caching clear-text passwords & its hashes is generally not a good idea. Security comes with a cost, here your performance.

If you don't need top-notch security (ie slower hashing), you can go for fast hashing solutions based on SHA512.

For database performance, try to tune the database caches for faster retrieval.

链接地址: http://www.djcxy.com/p/3680.html

上一篇: 在客户端计算机上保护客户端密码

下一篇: 在缓存中安全地存储密码哈希