NYCPHP Meetup

NYPHP.org

[nycphp-talk] Thoughts on encryption

Chris Snyder chsnyder at gmail.com
Thu May 6 14:16:51 EDT 2010


On Thu, May 6, 2010 at 2:08 PM, John Campbell <jcampbell1 at gmail.com> wrote:

> Use bcrypt.  It is tunable so can make it so each hash check takes .1
> seconds.  This makes a dictionary attack a huge pain in the ass, but
> your login page will still be plenty responsive.
>

This is excellent advice. You can also make your login routine require
a valid session cookie and sleep() for a second or two, though that
ties up a server process.

I believe the mod_security apache extension will also identify and
prevent brute-force attacks without DOSing your clumsy, forgetful
users.



More information about the talk mailing list