Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I understand that it's best practice to use a slow hash function such as bcrypt, scrypt or argon2 when storing passwords in a database. Most of the documentation I've read regarding choosing parameters, such as time and memory cost, suggest setting values as high as you can to frustrate password cracking attempts should an attacker gain access to your database. My question is what sort of resource consumption is acceptable when authenticating users in a web application? I understand that the answer to this question will vary based on factors such as the specs of the server performing the authentication, the frequency at which authentication occurs etc but I'd like to get some general suggestions as to what would sensible and what wouldn't. Is taking one second for password authentication too long? If my server has 8GB of memory, is using 1GB for the hash memory cost too high? I expect that the application in question will only perform password authentication occasionally as it uses token-based authentication for the majority of requests.
Is taking one second for password authentication too long?
Not if your users will tolerate it, but I think a few hundred milliseconds should be sufficient. See this excellent answer to a more specific question.
If my server has 8GB of memory, is using 1GB for the hash memory cost too high?
I wouldn't expect your password hashing strategy to require nearly that much memory. Hashing is generally a CPU/compute-bound task.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
For our videoplatform we store all of our videofiles in AWS S3 (sometimes deliver them on CloudFront). Customers are divided into groups; for every group we created a bucket with a Cost A. Tag.
So at this point we can monitor storage and streaming costs for a group. But for a new project we are required to get those reports based on the customers.
What should be the best approach? We could create a bucket for every customer, but i'm not a fan of that.
We could inspect the access logs; but according to the manual they can be "wrong".
Any suggestions?
The documentation is only hedging against the occasional lost or delayed log file. They are not guaranteed to be perfect, but in practice, they are reliable. I get the sense that the purpose of the disclaimer is to avoid petty disputes, rather than significant discrepancies.
Consider using the logs to do your own reporting on your existing projects, where you already know the costs... and compare those results to the results you get with the tag-based billing setup. If the answers are consistent, the problem seems effectively solved.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I am looking for a way to pass log events from AWS application to my company site.
The thing is that the AWS application is 100% firewalled from everything except only one IP address because it's encryption related service.
I just don't know what service I should use to do this. There's so many services so I do really have no idea what is it.
I think I'd just use simple message service, does this makes sense? The thing is there's plenty of events (let's say 1M per day), so I don't want big extra costs for this.
Sorry for the generic question, but I think it's quite concrete - "What is the most optimal way to pass event message from AWS when volume is approx 1M per day each 256 bytes on average?".
I'd like to connect to AWS service instead to any of the EC2 hosts...
On both sides I have tomcats with AWS-SDK.
I just want to avoid rewriting. Maybe I should do it with S3? The files are immutable, but I could upload files every 1h. I don't need real-time events. I just need to have logfiles on site for analysis of user experience and that customers can access it, but having log in 1M chunks would either require further assembling etc, I am really confused, sorry.
Kinesis is good for streaming event data. S3 is good if you already have files that you want stored.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I am looking to build a webapp to improve user experience in booking railway tickets in India. The API is impossible to get due to hefty charge to procure it. I have seen many apps that provide details of the trains etc through their apps.
My Question is how are they scraping data from the website.In general how can I legally get data shown to user (I don't want payment and stuff that are impossible without API) on any website. How do people scrape such data? Any tools/methods?
Bear with me if question is naive. I'm pretty new to this stuff.
They can get the train schedule information using any one of several programming languages though it is most likely done with ordinary PHP and any good webserver host. For example all indian train schedules can be found on the indianrail.gov website.
Sending a specially built URL to ..
http://www.indianrail.gov.in/cgi_bin/inet_trnnum_cgi.cgi?lccp_trnname=1123
using the POST method of sending form data should give you all the details for train number 1123 After that it becomes just a simple task of tidying up the results for storage in a database.
Update: well armoured site its checking both the user agent and referer of inbound requests.
Ammendum: the indianrail.gov site is changing to http://www.trainenquiry.com/ -> will have to take another look
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm currently in the decision of under what license I should release a .NET client software that accesses our web service. The best way to describe my situation would be like Dropbox, as they have a client software that simply allows users to access their web service.
I'm not sure whether the best decision is to go open source on this to promote growth, support, etc or to keep the source closed with some to help reduce the number of non-official clients running specifically meant to misuse / abuse the webservice backend.
(If it helps any the client software will be computing and sending data to a backend, so tampering of the submitted data would be best kept at a minimum.)
Pros, cons, and suggestions are welcome
Isn't there a way to work with sessions in a webservice? If you could implement that, you could make the users of the client login first to your webservice (via the client application), and then only make the functionalities available after a successful login. That way, should you decide to release an open source version, you will greatly reduce the risk of rogue clients already.
As for the decision whether to go open source or not, that's entirely up to you, but I don't think the choice should affect security.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Well, I would like to build a file hosting website just like other already did, but it is going to be something different by adding search engine, allowing download and upload in full speed for any user, and so on. Unfortunately the web hosting plans, which declared to support UNLIMITED SPACE rarely allows me to host files on those space. So what I need is the unlimited file storage service which could host all of my users' files.
I found Amazon S3, already provides such service, but could anybody recommends me for other better ?
No storage is really unlimited. Depending on how much space you'll need, this could get very expensive.
I don't want to hammer good ideas, but if I understand correctly, you want to build a hosting service, yet you want to 'rent' the disk space and bandwidth. Which means - in other words - you want to outsource a part of the core business. Which is the fastest way to kill your business.
Everyone - you rent from - will put their profit in the price you get, so it is possible to create a service this way, it would just be too expensive to sell.
I suggest you put spreadsheet together, where you calculate this service, like you would build it up piece by piece. Calculate the needed disk space (amount of disks), bandwidth, servers, and you will realize that with even 1000 user online you would need a smaller data center.