I'm considering using SCRYPT for password storage. (I'm open to PBKDF2 as well, or bcrypt by itself).
The issue is that I don't want this to become a potential point for a DDOS attack, given the overhead of the actual computation.
I was thinking something VERY weak with a lot of collisions as a sanity check first (like CRC8) against the SALT+PASSPHRASE might be a good idea. (then using a wait before returning the failure to guard against timing attack).
This assumes a minimum length of 8, with a 3 of 4 requirement for:
- Uppercase Alpha
- Lowercase Alpha
- Number
- Non Alpha-numeric
How much would this would actually reduce the effectiveness of SCRYPT in a brute force attack should data be compromised?
Aucun commentaire:
Enregistrer un commentaire