Menu
▾
▴
Re: [Ejbca-develop] debug log ejbca.sh
|
From: Tomas G. <to...@pr...> - 2015-02-26 16:48:19
|
What's your use case? Why don't you use 24 character randomly generated one-time enrollment codes? You can surely design your work-flow to be more secure, still giving a decent user experience, better than waiting 30 seconds in a browser window? Cheers, Tomas On February 26, 2015 5:08:03 PM GMT+01:00, "Michael Ströder" <mi...@st...> wrote: >Tomas Gustavsson wrote: >> What's your threat analysis? >> Are you protecting against someone dumping the EJBCA database trying >to >> brute-force one-time enrollment codes before they are being used? > >Yes. Or a SQL injection revealing the user's password via web >application. > >> 16 rounds is too slow even for a single use imho. On my laptop a >single >> call (a single bcrypt) with 16 rounds takes >20 seconds. > >The important factor is at what speed brute force attackers can work. > >Ciao, Michael. > > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------------ >Dive into the World of Parallel Programming The Go Parallel Website, >sponsored >by Intel and developed in partnership with Slashdot Media, is your hub >for all >things parallel software development, from weekly thought leadership >blogs to >news, videos, case studies, tutorials and more. Take a look and join >the >conversation now. http://goparallel.sourceforge.net/ > >------------------------------------------------------------------------ > >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
