Cloudflare security


#1

Hello, I am studying about informatics security and I would like to receive some help with a question. I know that there are some generic algorithms to encrypt user’s passwords like AES, DES, etc. and I would like to know about how cloudflare protect my password when I log in to the web platform?. Thank you


#2

I’d not expect that security measures are made public. Especially when it comes to user passwords.


#3

If I were writing a solution (not a developer but have been doing the IT thing for a while) I wouldn’t store the user’s password at all. Instead I would create a salted hash using bcrypt or another sufficiently secure function.

As @MarkMeyer alludes I don’t think we make the exact mechanism used by Cloudflare public.


#4

I wish services would publish that information.

It doesn’t compromise security. It only makes someone a juicier target if they’re egregiously negligent, which their victims deserve to know.

But it’s pretty revealing about an organization’s security posture and competence.

  • “We’re migrating from bcrypt to Argon2 with parameters x, y and z.” Cool!
  • “We mainly use bcrypt, but < 20% of accounts are still using sha512crypt. If they don’t log in in the next three months, we’ll reset their passwords.” That’s nice I guess.
  • “What?” That’s concerning…
  • “We use military grade AVX 512 encryption!” Uh-oh.

Cloudflare has a history of employing sensible cryptographers, unlike most organizations, but still. I figure there’s a 90% chance you use something good, a 9% chance you use something mediocre for historical reasons, and a 1% chance of :skull:.

Edit: I hope my tone didn’t read as harshly critical. The post was intended as “I’d like the status quo to be different”, not railing against Cloudflare or anyone.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.