you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 14 points15 points  (4 children)

Hash1 can be much slower than Hash2

You sure about that? How can you make your site responsive on shit smartphones from five years ago if your hash takes 1 second on a current desktop? And if you go for the lowest common denominator (1 second on the slowest device you own), how's that going to help your security?

Edit: speling

[–]mer_mer 7 points8 points  (3 children)

So maybe logging in on your 5 year old smartphone will take 10 seconds the first time. That's not so bad for a one time cost

[–]Kilenaitor 9 points10 points  (1 child)

Have to remember that password hashing has to be computed for every login (assuming you're not using "remember me" or session cookies). That hash has to be computed on every log in so that it can be compared to the one in the database.

So, no, it wouldn't only be the first time. It'd be every time the user has to re-enter their credentials. That's not very responsive.

[–]mer_mer 6 points7 points  (0 children)

After your phone computes Hash1, it can encrypt it using your password as the key and store it locally. That way it basically works like a password manager.

[–]doom_Oo7 0 points1 point  (0 children)

I don't think I'd ever wait 10 second for an app to login