Generating a password hash twice with disallow_password_reuse

13 views
Skip to first unread message

Алексей Мацкевич

unread,
Jan 31, 2021, 1:33:50 AM1/31/21
to Rodauth
Hi, I use disallow_password_reuse feature in my project and noticed that creating an account takes quite a long time. I knew that generating a secure password hash with a standard price for bcrypt takes about ~ 200ms, but after looking at the metrics on requests, I found that there is some lengthy code execution between requests to the database, similar in duration to generating a hash from a password.
request_create.jpg
As I discovered when using the disallow_password_reuse feature, the password hash is generated a second time at this location: rodauth/disallow_password_reuse.rb at 6cbf61090a355a20ab92e3420d5e17ec702f3328 · jeremyevans/rodauth (github.com)

1. Is there any reason to re-generate the password hash?
2. As far as I understand, we could just take the already generated password hash from the account by runtime, because they generated in create action, and this code called in after hook.
3. I also noticed that when creating an account, a password reuse is checked, although this obviously does not make sense, maybe it makes sense to make a flag for the `create` route to skip unnecessary queries to the database?

Thanks,
Aleksei

Jeremy Evans

unread,
Jan 31, 2021, 11:36:17 AM1/31/21
to rod...@googlegroups.com
On Sat, Jan 30, 2021 at 10:33 PM Алексей Мацкевич <aleksei_...@outlook.com> wrote:
Hi, I use disallow_password_reuse feature in my project and noticed that creating an account takes quite a long time. I knew that generating a secure password hash with a standard price for bcrypt takes about ~ 200ms, but after looking at the metrics on requests, I found that there is some lengthy code execution between requests to the database, similar in duration to generating a hash from a password.
request_create.jpg
As I discovered when using the disallow_password_reuse feature, the password hash is generated a second time at this location: rodauth/disallow_password_reuse.rb at 6cbf61090a355a20ab92e3420d5e17ec702f3328 · jeremyevans/rodauth (github.com)

1. Is there any reason to re-generate the password hash?

The generated password hash will be different for each previous salt.
 
2. As far as I understand, we could just take the already generated password hash from the account by runtime, because they generated in create action, and this code called in after hook.

This would only work if you used an unsalted password hash, which would be a terrible idea for security.
 
3. I also noticed that when creating an account, a password reuse is checked, although this obviously does not make sense, maybe it makes sense to make a flag for the `create` route to skip unnecessary queries to the database?

Calculating the password hash is probably taking longer than checking the database.  However, this does depend on the application's latency to the database.  I'll certainly consider a pull request to avoid an unnecessary query.

Thanks,
Jeremy


Reply all
Reply to author
Forward
0 new messages