-
Notifications
You must be signed in to change notification settings - Fork 516
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change BCRYPT rounds to actual value #2356
Comments
What is the motivation behind it? Everyone can set it higher too. Is there a specific reason to change the default? |
I make small python scrypt for show why 12 best value for bcrypt rounds, remember that bcrypt maked for do slower bruteforse attacks on database, and database of small server is usual have 1000+ users. Also for change this parametr you need to find class what you need, decompilate this class, change value, compilate class and finaly past it in .jar file. Scrypt
And it results on my i5-4590 |
No you don't need that. It's a configuration setting at the location the annotation specifies. It's at
Calculating the cost factor is always a compromise between security and performance. You don't want to impact the server performance too much, but also don't want to give out the clear password too easily. Considering your benchmark numbers, the configuration would be quite secure against bruteforce. The issue with bruteforce attacks is that you don't just guess the correct one. You need many tries. Naive ideas (i.e. I measured it myself. Considering a cost of But how important is this performance compromise for a Minecraft server? 250ms would mean 4 passwords a second, which opens the target for DOS attacks based registration or login attempts. My opinion is that we could raise the default value. Other websites also use 12 as cost factor nowadays. Attacks should be prevented with other means. |
I think you right, but default config as usual stay on small servers, they can afford some slower speed for this. Online is small, you know. And big servers (I mean from ~100 players) know what they doing. So i think we can do it some slower for those who dont see any difference, and do it more safety in few times. |
Well they might also have weaker hardware available. More often we would see shared hardware (e.g. virtualization) in this case. I'll open up a PR for discussion. In my opinion, if you care about this issue you shouldn't be using BCrypt. BCrypt has low memory requirements. This means GPUs can programmed to hash it. They can compute it in a massively parallel way (e.g. multiple password tries at once). They are commonly available in general computers (not like ASICs or FPGAs). Other algorithms like SCrypt could be better in this way. |
Change this value from 10 to 12 please.
https://github.com/AuthMe/AuthMeReloaded/blob/master/src/main/java/fr/xephi/authme/settings/properties/HooksSettings.java#L47
The text was updated successfully, but these errors were encountered: