We have an application written in Java for Rasperry Pi. The password hash for the login is stored in a file where the password hash is created with a salt using 1000 iterations. Our architect complained that 1.000 iterations is too little.
When the user logs in, the password hash is loaded from file and its cypher is created on the fly from it which costs a bit of cpu time since the salt was created with 1.000 iterations.
Problem is now that even with only 10.000 iterations creating the cypher from the password hash takes over 10 seconds. The reason is that the cpu of the Pi does not have much power for doing this faster. And 10 seconds is too much time for the user to wait.
So what remains as an option is to create the cypher from the hash when the application starts up and cache it on the heap of the JVM. Question is whether this is an acceptable approach with regard to security.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
