1

It is generally recommended that one use a slow hash function to hash passwords. However, does this create a DoS risk?

Anders
  • 65,052
  • 24
  • 180
  • 218
Demi
  • 799
  • 1
  • 4
  • 11
  • 1
    http://security.stackexchange.com/questions/12101/prevent-denial-of-service-attacks-against-slow-hashing-functions – void_in Feb 04 '16 at 07:56

1 Answers1

2

You could, in addition to using a slow hash function, limit the number of requests per second a particular user could send. For instance, if you're getting 30 failed login requests from a particular IP address, then you could delay the responses to that address, or drop them all together.

Slowing hash functions is designed to make it impractical to carry out a brute force attack if an attacker gets access to the password database. There should still be precautions built into the server as well.

Daffy
  • 261
  • 1
  • 5