StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHashing Password in Google App Engine and Instance Hours Quota
text
Body
copied!<p>I've been reading a lot about password storing, hashing, salting, "peppering", MAC, etc because I'm about to make a new website and security it's really important to me, however there are some reasons why I'm considering not using Google Authentication (or Facebook, OpenID or any other) which are not relevant right now, but it brings me to this point.</p> <p>I'm new to Google App Engine, this is going to be my first project on it, and I'm a little confused about the "Instance Hours" and how it no longer has "CPU time" but the aforementioned quota. Even worst, I haven't been able to understand what is the Instance Hours Free Quota.</p> <p>Here's why I'm worried about the quotas and what does that has anything to do with my security concerns: One recommendation I've read everywhere is to make multiple iterations and hash the password several times, because that would make and attacker spend much much much more time (I don't have numbers, but they are everywhere on <a href="https://security.stackexchange.com/">https://security.stackexchange.com/</a>).</p> <p>Multiple iterations have direct impact on CPU time, and if GAE had a CPU time quota I think making 1000 iterations every time a user logs in could be a problem, however if what they count is Instance Hours from the moment the request is done to up to fifteen minutes later and as read on <a href="https://developers.google.com/appengine/docs/quotas?hl=es" rel="nofollow noreferrer">GAE quota docs</a> is:</p> <blockquote> <p>In general, instance usage is billed on an hourly basis based on the instance's uptime. Billing begins when the instance starts and ends fifteen minutes after the instance shuts down. You will be billed only for idle instances up to the number of maximum idle instances set in the Performance Settings tab of the Admin Console. Runtime overhead is counted against the instance memory.</p> </blockquote> <p>then it means that if my users log in (hash 1000 times), then they continue to use the site, the Instance Hours will continue to sum until all of them leave the page + 15 minutes? If this is true, then making it iterate 1000 times wouldn't have a significant impact on my quota, other than the "extra" time it takes for the user to log in, but I'm aware of that and it's a price I'm willing to pay.</p> <p>The number of iterations I'll make will be the ones that make the time to log in acceptable and imperceptible to the user, so don't worry about this.</p> <p><strong>My questions are:</strong> </p> <ol> <li><strong>Will making MANY iterations have a direct impact on the Instance Hours, or my assumptions about how the Instance Hours are summed are correct?</strong></li> <li><strong>Is there a CPU time quota on Google App Engine I'm missing somehow? Does it have a Free Quota?</strong></li> <li><strong>What is the Instance Hours Free Quota?</strong></li> </ol> <p>Answers:</p> <ol> <li>Look Moishe accepted answer and the other question he asked (which has not been answered but has usefull comments) <a href="https://stackoverflow.com/questions/11525717/when-does-the-app-engine-scheduler-use-a-new-thread-vs-a-new-instance">When does the App Engine scheduler use a new thread vs. a new instance?</a></li> <li>According to Google there is no CPU time quota: <a href="http://googleappengine.blogspot.com.es/2009/02/skys-almost-limit-high-cpu-is-no-more.html" rel="nofollow noreferrer">http://googleappengine.blogspot.com.es/2009/02/skys-almost-limit-high-cpu-is-no-more.html</a></li> <li>Found an answer to question number 3 here: <a href="https://stackoverflow.com/questions/11044186/google-app-engine-frontend-instance-hours-limit-reached">Google App Engine Frontend Instance Hours Limit Reached</a></li> </ol>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload