A better way to think about passwords

Faramir faramir.cl at gmail.com
Mon Apr 18 12:53:12 CEST 2011

Hash: SHA256

El 17-04-2011 20:39, Grant Olson escribió:
> I think it's worth noting that the low entropy of english (you quoted
> 2.5 bits per char in another thread) isn't just an academic issue.  Real
> password crackers actually do employ multiple strategies and passes in
> order of complexity.  For example, starting with dictionary, then
> dictionary w/leetspeak, eventually brute force, etc.

  Probably the idea is to avoid bruteforce at all costs, because if you
have to do that, you might be bruteforcing an 8 characters password for
more than 50 years (if mixed lowercase, uppercase, numbers and symbols,
and you just have 1 home computer dedicated to the task).

  Maybe we should just pick a "good password", hash it a couple of
times, and use that hash as the real password... we could carry the
hashing tool in a flash drive.

> My other big gripe with this article is that it completely ignores the
> possibility of an offline attack against the hashes.  It's assuming that
> the limiting factor is the number of times you can access a webpage.

  Right, limiting the attacks make even 4 pins codes secure, if the
account becomes blocked after 3 wrong attempts. But that won't protect
your password database if it falls in the wrong hands, or your GPG
private keys. And to say "that's a server problem, fix the server" is
wrong, because it will quickly become an user's problem if the password
is cracked, and the user uses the same password for different things (as
a lot of people do).

> I've been goofing around with BitCoin this weekend, and my MacBook Pro
> is generating about 2 Million SHA256 hashes a second.

  I was checking how much time would it take to bruteforce a SHA-1 8
characters password (upper/lowercase characters, plus numbers, plus
symbols), and my machine did 2,5 millions of tries a second.

  Best Regards
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Gnupg-users mailing list