forked from technoweenie/restful-authentication
-
Notifications
You must be signed in to change notification settings - Fork 0
/
site_keys.rb
38 lines (35 loc) · 2.17 KB
/
site_keys.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# A Site key gives additional protection against a dictionary attack if your
# DB is ever compromised. With no site key, we store
# DB_password = hash(user_password, DB_user_salt)
# If your database were to be compromised you'd be vulnerable to a dictionary
# attack on all your stupid users' passwords. With a site key, we store
# DB_password = hash(user_password, DB_user_salt, Code_site_key)
# That means an attacker needs access to both your site's code *and* its
# database to mount an "offline dictionary attack.":http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-authentication.html
#
# It's probably of minor importance, but recommended by best practices: 'defense
# in depth'. Needless to say, if you upload this to github or the youtubes or
# otherwise place it in public view you'll kinda defeat the point. Your users'
# passwords are still secure, and the world won't end, but defense_in_depth -= 1.
#
# Please note: if you change this, all the passwords will be invalidated, so DO
# keep it someplace secure. Use the random value given or type in the lyrics to
# your favorite Jay-Z song or something; any moderately long, unpredictable text.
REST_AUTH_SITE_KEY = '<%= $rest_auth_site_key_from_generator %>'
# Repeated applications of the hash make brute force (even with a compromised
# database and site key) harder, and scale with Moore's law.
#
# bq. "To squeeze the most security out of a limited-entropy password or
# passphrase, we can use two techniques [salting and stretching]... that are
# so simple and obvious that they should be used in every password system.
# There is really no excuse not to use them." http://tinyurl.com/37lb73
# Practical Security (Ferguson & Scheier) p350
#
# A modest 10 foldings (the default here) adds 3ms. This makes brute forcing 10
# times harder, while reducing an app that otherwise serves 100 reqs/s to 78 signin
# reqs/s, an app that does 10reqs/s to 9.7 reqs/s
#
# More:
# * http://www.owasp.org/index.php/Hashing_Java
# * "An Illustrated Guide to Cryptographic Hashes":http://www.unixwiz.net/techtips/iguide-crypto-hashes.html
REST_AUTH_DIGEST_STRETCHES = <%= $rest_auth_digest_stretches_from_generator %>