A better way to think about passwords

Faramir faramir.cl at gmail.com
Mon Apr 18 12:53:12 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 17-04-2011 20:39, Grant Olson escribió:
...
> I think it's worth noting that the low entropy of english (you quoted
> 2.5 bits per char in another thread) isn't just an academic issue.  Real
> password crackers actually do employ multiple strategies and passes in
> order of complexity.  For example, starting with dictionary, then
> dictionary w/leetspeak, eventually brute force, etc.

  Probably the idea is to avoid bruteforce at all costs, because if you
have to do that, you might be bruteforcing an 8 characters password for
more than 50 years (if mixed lowercase, uppercase, numbers and symbols,
and you just have 1 home computer dedicated to the task).

  Maybe we should just pick a "good password", hash it a couple of
times, and use that hash as the real password... we could carry the
hashing tool in a flash drive.

> My other big gripe with this article is that it completely ignores the
> possibility of an offline attack against the hashes.  It's assuming that
> the limiting factor is the number of times you can access a webpage.

  Right, limiting the attacks make even 4 pins codes secure, if the
account becomes blocked after 3 wrong attempts. But that won't protect
your password database if it falls in the wrong hands, or your GPG
private keys. And to say "that's a server problem, fix the server" is
wrong, because it will quickly become an user's problem if the password
is cracked, and the user uses the same password for different things (as
a lot of people do).

> I've been goofing around with BitCoin this weekend, and my MacBook Pro
> is generating about 2 Million SHA256 hashes a second.

  I was checking how much time would it take to bruteforce a SHA-1 8
characters password (upper/lowercase characters, plus numbers, plus
symbols), and my machine did 2,5 millions of tries a second.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJNrBgYAAoJEMV4f6PvczxA2HcH/jYcj4b7Y0Dk/2GPOyY4MFKE
CB4JMMbJzcdstEN8Djg8r11FI6l1KwGYT3TBCEDPD6+cNjpF+OySGkB/eqr7Fh8y
JuRbIfWccxDN1uydYJgEeNNDF02p5PZx1m1xiBe/J8FFdsI+2M8J43sIOx3qwZyH
r3vPhzNItzruknnuztxD+ai9NjcnkAefzJl2z9rrs0ILUwIupWQyURzmBrVpW5da
HaQFk5wzd5bP0vEj5R5HtoTMG5g17djxmdyBHEypEngi5GsAZlHbT8JUPwBoPdvj
c2fZBTe9xxnFj0xkmPEQguSNtXgPSIt2uEcE/RjTYIqflwwc2p5tHGjPByL+4z4=
=oVt9
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list