Password Hashes, Again

Stephanie Daugherty sdaugherty at gmail.com
Fri Apr 13 15:54:22 UTC 2012 

How about a dynamic approach to hash strength - benchmark the hardware and
increase the hash strength so that it always takes a particular amount of
cpu time - therefore as hardware scales, so will the algorithm.
On Apr 13, 2012 7:40 AM, "Vlad Dascalu" <vladd at bugzilla.org> wrote:

> > In that case, this defeats his whole
> > theory, because the attacker doesn't need your password to read the
> > whole DB and access all the data he wants.
>
> Passwords are encrypted in the DB to hide their actual value. In case
> a hacker gets access, salting passwords doesn't make their discovery
> any more difficult than it would be without it.
>
> 2012/4/13 Frédéric Buclin <lpsolit at gmail.com>:
> > Le 13. 04. 12 09:41, Max Kanat-Alexander a écrit :
> >>       tl;dr: You can break most SHA-256 passwords pretty quickly with
> some GPUs.
> >
> > It's interesting to see that the author of this post suddenly stops
> > giving numbers when talking about salted-passwords. He just states that
> > if the attacker could access your DB, he could also access your config
> > file (in our case: localconfig). In that case, this defeats his whole
> > theory, because the attacker doesn't need your password to read the
> > whole DB and access all the data he wants. He is just saying that GPU
> > gives you more power to try to crack a SHA-256 salted password, and he
> > is right, but it's certainly by far much more difficult to crack than a
> > non-salted password. And all his numbers were for non-salted MD5
> > passwords anyway, which we don't use.
> >
> > I wouldn't worry too much for now, at least not till someone can prove
> > that SHA-256 salted-passwords are fast to crack (with real numbers).
> > Else we are going to change our encryption algorithm every time someone
> > writes a new article about security. :)
> >
> > LpSolit
> >
> >
> > PS: the author suggests PBKDF2, but if you follow the link, it's written
> > that "makes brute-force attacks using ASICs or GPUs relatively cheap".
> > The other reference, bcrypt, seems to be weaker than scrypt against
> > brute-force attacks. So we shouldn't jump in the game too quickly.
> > -
> > To view or change your list settings, click here:
> > <http://bugzilla.org/cgi-bin/mj_wwwusr?user=vladd@bugzilla.org>
> -
> To view or change your list settings, click here:
> <http://bugzilla.org/cgi-bin/mj_wwwusr?user=sdaugherty@gmail.com>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bugzilla.org/pipermail/developers/attachments/20120413/e3dd34c3/attachment.html>

More information about the developers mailing list