Bootzooka update - PBKDF2 for user passwords, smaller footprint

Adam Warski

27 Feb 2014.0 minutes read

Bootzooka is our template web project, featuring Scala and Scalatra for the backend, an AngularJS single-page-app for the frontend, and a joint SBT+Grunt build process.

Even a template project evolves all the time. Recently I've been speaking at Jfokus, and one of the most interesting presentations I attended was on security by Jim Manico. He made some very good points on how you should store user passwords.

We've been using salted SHA-256 passwords previously, but it's not a huge problem to crack them for modern GPU clusters. Hence now Bootzooka by default uses PBKDF2 hashing with 10000 iterations. The benefit of PBKDF2 is that it is computationally expensive to generate the hash, so cracking the passwords gets substantially harder.

If you are interested in the subject, take a look at the OWASP password cheat sheet.

In other news, we also updated a lot of Bootzooka's dependencies. We also removed some dependencies and smaller features which aren't absolutely necessary in a template project, reducing the final .war size from 77MB to 45MB.

Blog Comments powered by Disqus.