Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document exchange password for short term credential 

Fixes gh-4959
This commit is contained in:
Rob Winch 2018-01-12 09:15:35 -06:00
parent aa900065b8
commit 0991f31613
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/manual/src/docs/asciidoc/_includes/password-encoder.adoc
View File

@ -34,15 +34,23 @@ The reason is that with modern hardware we can perform billions of hash calculat
This means that we can crack each password individually with ease. This means that we can crack each password individually with ease.
Developers are now encouraged to leverage adaptive one-way functions to store a password. Developers are now encouraged to leverage adaptive one-way functions to store a password.
Validation of passwords with adaptive one-way functions are intentionally resource (i.e. CPU, memory, etc) intensive.
An adaptive one-way function allows configuring a "work factor" which can grow as hardware gets better. An adaptive one-way function allows configuring a "work factor" which can grow as hardware gets better.
It is recommended that the "work factor" be tuned to take about 1 second to verify a password on your system. It is recommended that the "work factor" be tuned to take about 1 second to verify a password on your system.
This trade off is to make it difficult for attackers to crack the password, but not so costly it puts excessive burden on your own system. This trade off is to make it difficult for attackers to crack the password, but not so costly it puts excessive burden on your own system.
Spring Security has attempted to provide a good starting point for the "work factor", but users are encouraged to customize the "work factor" for their own system since the performance will vary drastically from system to system.
Examples of adaptive one-way functions that should be used include Examples of adaptive one-way functions that should be used include
https://en.wikipedia.org/wiki/Bcrypt[bcrypt], https://en.wikipedia.org/wiki/Bcrypt[bcrypt],
https://en.wikipedia.org/wiki/PBKDF2[PBKDF2], https://en.wikipedia.org/wiki/PBKDF2[PBKDF2],
https://en.wikipedia.org/wiki/Scrypt[scrypt], https://en.wikipedia.org/wiki/Scrypt[scrypt],
and https://en.wikipedia.org/wiki/Argon2[Argon2]. and https://en.wikipedia.org/wiki/Argon2[Argon2].
Because adaptive one-way functions are intentionally resource intensive, validating a username and password for every request will degrade performance of an application significantly
There is nothing Spring Security (or any other library) can do to speed up the validation of the password since security is gained by making the validation resource intensive.
Users are encouraged to exchange the long term credentials (i.e. username and password) for a short term credential (i.e. session, OAuth Token, etc).
The short term credential can be validated quickly without any loss in security.
[[pe-dpe]] [[pe-dpe]]
== DelegatingPasswordEncoder == DelegatingPasswordEncoder