[nycphp-talk] Thoughts on encryption
Chris Snyder
chsnyder at gmail.com
Thu May 6 14:16:51 EDT 2010
On Thu, May 6, 2010 at 2:08 PM, John Campbell <jcampbell1 at gmail.com> wrote:
> Use bcrypt. It is tunable so can make it so each hash check takes .1
> seconds. This makes a dictionary attack a huge pain in the ass, but
> your login page will still be plenty responsive.
>
This is excellent advice. You can also make your login routine require
a valid session cookie and sleep() for a second or two, though that
ties up a server process.
I believe the mod_security apache extension will also identify and
prevent brute-force attacks without DOSing your clumsy, forgetful
users.
More information about the talk
mailing list