Re: [Ejbca-develop] debug log ejbca.sh

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Tomas Gustavsson wrote:
> What's your threat analysis?
> Are you protecting against someone dumping the EJBCA database trying to 
> brute-force one-time enrollment codes before they are being used?

Yes. Or a SQL injection revealing the user's password via web application.

> 16 rounds is too slow even for a single use imho. On my laptop a single 
> call (a single bcrypt) with 16 rounds takes >20 seconds.

The important factor is at what speed brute force attackers can work.

Ciao, Michael.