Reputation: 3253
Securely Storing Password Hashes in Cache
I am making a back-end server as a personal project. Currently, when someone registers, their password is hashed with Bcrypt, and saved in the database. However, querying the database every-time I need to verify that the request came from the authenticated user seems to be too much. As a result, I began to wonder about caching these in the server's memory. I assume that it is unsafe to store an un-hashed password in this memory. What is the most secure way to implement this? I could cache the Bcrypte'd copy of the passwords, and then just verify that the user's password matches the cached Bcrypt copy, but if I can I would like to use bcrypt as little as possible too. I assume that storing a password and its Bcrypt'd version in the cache together, even if not linked to a username, is a bad idea. Is there anything else I can do while keeping security + performance in mind?
Upvotes: 7
Views: 2147
Answers (1)
Reputation: 4853
Caching clear-text passwords & its hashes is generally not a good idea. Security comes with a cost, here your performance.
If you don't need top-notch security (i.e. slower hashing), you can go for fast hashing solutions based on SHA512.
For database performance, try to tune the database caches for faster retrieval.
Upvotes: 0
Related Questions
- Spring Security caching my authentication
- Best Hash Algorithm for Cache purposes?
- How to store hashed password in database?
- Multi algorithm password hash structure for database persistence
- What is the best way to securely store password (hashes)
- Saving passwords for non-interactive login
- Is it a bad practice to cache user's hashed credentials on the server
- Secure user login using java hash and salt
- Caching hashes in Java collections?
- Keeping user passwords safe in Java?