Password Hashes, Again

Frédéric Buclin lpsolit at
Fri Apr 13 10:19:56 UTC 2012

Le 13. 04. 12 09:41, Max Kanat-Alexander a écrit :
> 	tl;dr: You can break most SHA-256 passwords pretty quickly with some GPUs.

It's interesting to see that the author of this post suddenly stops
giving numbers when talking about salted-passwords. He just states that
if the attacker could access your DB, he could also access your config
file (in our case: localconfig). In that case, this defeats his whole
theory, because the attacker doesn't need your password to read the
whole DB and access all the data he wants. He is just saying that GPU
gives you more power to try to crack a SHA-256 salted password, and he
is right, but it's certainly by far much more difficult to crack than a
non-salted password. And all his numbers were for non-salted MD5
passwords anyway, which we don't use.

I wouldn't worry too much for now, at least not till someone can prove
that SHA-256 salted-passwords are fast to crack (with real numbers).
Else we are going to change our encryption algorithm every time someone
writes a new article about security. :)


PS: the author suggests PBKDF2, but if you follow the link, it's written
that "makes brute-force attacks using ASICs or GPUs relatively cheap".
The other reference, bcrypt, seems to be weaker than scrypt against
brute-force attacks. So we shouldn't jump in the game too quickly.

More information about the developers mailing list