tadasy · April 19, 2011 14:22
diff --git a/site_keys.rb b/site_keys.rb
 # Repeated applications of the hash make brute force (even with a compromised
 # database and site key) harder, and scale with Moore's law.
 #
 #   bq. "To squeeze the most security out of a limited-entropy password or
 #   passphrase, we can use two techniques [salting and stretching]... that are
 #   so simple and obvious that they should be used in every password system.
 #   There is really no excuse not to use them." http://tinyurl.com/37lb73
 #   Practical Security (Ferguson & Scheier) p350
 # 
 # A modest 10 foldings (the default here) adds 3ms.  This makes brute forcing 10
 # times harder, while reducing an app that otherwise serves 100 reqs/s to 78 signin
 # reqs/s, an app that does 10reqs/s to 9.7 reqs/s
 # 
 # More:
 # * http://www.owasp.org/index.php/Hashing_Java
 # * "An Illustrated Guide to Cryptographic Hashes":http://www.unixwiz.net/techtips/iguide-crypto-hashes.html
 REST_AUTH_DIGEST_STRETCHES = 10
	# Repeated applications of the hash make brute force (even with a compromised
	# database and site key) harder, and scale with Moore's law.
	#
	# bq. "To squeeze the most security out of a limited-entropy password or
	# passphrase, we can use two techniques [salting and stretching]... that are
	# so simple and obvious that they should be used in every password system.
	# There is really no excuse not to use them." http://tinyurl.com/37lb73
	# Practical Security (Ferguson & Scheier) p350
	#
	# A modest 10 foldings (the default here) adds 3ms. This makes brute forcing 10
	# times harder, while reducing an app that otherwise serves 100 reqs/s to 78 signin
	# reqs/s, an app that does 10reqs/s to 9.7 reqs/s
	#
	# More:
	# * http://www.owasp.org/index.php/Hashing_Java
	# * "An Illustrated Guide to Cryptographic Hashes":http://www.unixwiz.net/techtips/iguide-crypto-hashes.html
	REST_AUTH_DIGEST_STRETCHES = 10