Password Hashes, Again

Vlad Dascalu vladd at bugzilla.org
Fri Apr 13 11:39:49 UTC 2012


> In that case, this defeats his whole
> theory, because the attacker doesn't need your password to read the
> whole DB and access all the data he wants.

Passwords are encrypted in the DB to hide their actual value. In case
a hacker gets access, salting passwords doesn't make their discovery
any more difficult than it would be without it.

2012/4/13 Frédéric Buclin <lpsolit at gmail.com>:
> Le 13. 04. 12 09:41, Max Kanat-Alexander a écrit :
>>       tl;dr: You can break most SHA-256 passwords pretty quickly with some GPUs.
>
> It's interesting to see that the author of this post suddenly stops
> giving numbers when talking about salted-passwords. He just states that
> if the attacker could access your DB, he could also access your config
> file (in our case: localconfig). In that case, this defeats his whole
> theory, because the attacker doesn't need your password to read the
> whole DB and access all the data he wants. He is just saying that GPU
> gives you more power to try to crack a SHA-256 salted password, and he
> is right, but it's certainly by far much more difficult to crack than a
> non-salted password. And all his numbers were for non-salted MD5
> passwords anyway, which we don't use.
>
> I wouldn't worry too much for now, at least not till someone can prove
> that SHA-256 salted-passwords are fast to crack (with real numbers).
> Else we are going to change our encryption algorithm every time someone
> writes a new article about security. :)
>
> LpSolit
>
>
> PS: the author suggests PBKDF2, but if you follow the link, it's written
> that "makes brute-force attacks using ASICs or GPUs relatively cheap".
> The other reference, bcrypt, seems to be weaker than scrypt against
> brute-force attacks. So we shouldn't jump in the game too quickly.
> -
> To view or change your list settings, click here:
> <http://bugzilla.org/cgi-bin/mj_wwwusr?user=vladd@bugzilla.org>



More information about the developers mailing list