Hello, I am studying about informatics security and I would like to receive some help with a question. I know that there are some generic algorithms to encrypt user’s passwords like AES, DES, etc. and I would like to know about how cloudflare protect my password when I log in to the web platform?. Thank you
I’d not expect that security measures are made public. Especially when it comes to user passwords.
If I were writing a solution (not a developer but have been doing the IT thing for a while) I wouldn’t store the user’s password at all. Instead I would create a salted hash using bcrypt or another sufficiently secure function.
As @MarkMeyer alludes I don’t think we make the exact mechanism used by Cloudflare public.
I wish services would publish that information.
It doesn’t compromise security. It only makes someone a juicier target if they’re egregiously negligent, which their victims deserve to know.
But it’s pretty revealing about an organization’s security posture and competence.
- “We’re migrating from bcrypt to Argon2 with parameters x, y and z.” Cool!
- “We mainly use bcrypt, but < 20% of accounts are still using sha512crypt. If they don’t log in in the next three months, we’ll reset their passwords.” That’s nice I guess.
- “What?” That’s concerning…
- “We use military grade AVX 512 encryption!” Uh-oh.
Cloudflare has a history of employing sensible cryptographers, unlike most organizations, but still. I figure there’s a 90% chance you use something good, a 9% chance you use something mediocre for historical reasons, and a 1% chance of .
Edit: I hope my tone didn’t read as harshly critical. The post was intended as “I’d like the status quo to be different”, not railing against Cloudflare or anyone.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.