On Tuesday, February 12, 2013 at 11:41 AM, Jesus Cea wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/02/13 14:38, Donald Stufft wrote: > > What were they hashed with? Even with a salt a fast hash is trivial > > to bruteforce for a large number of passwords in practically no > > time with trivial hardware. > > > > > Not if your salt has 256 bits of entropy. > > Usual approach would be to use two salts: a personal salt per user, > stored in a different database of the hashed password (to reduce the > posibility of the same bug affecting both databases), and a global per > site salt, stored outside of the database. > > Salts can be big. You can't not brute-force a 256 bit salt. You don't need to bruteforce a salt, if the application knows it you can assume the attacker will know it either by directly using your login routines, or having stolen it along with your database. The only thing you're bruteforcing is the unknown element, e.g. the users password. Commodity hardware can easily break 192MiB/s[1] in sha1, even more if you invest in hardware.
A 256bit salt is practically meaningless in terms of bruteforcing the unknown element. [1] http://www.cryptopp.com/benchmarks-amd64.html > > - -- > Jesús Cea Avión _/_/ _/_/_/ _/_/_/ > [email protected] - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ > jabber / xmpp:[email protected] (mailto:[email protected]) _/_/ _/_/ _/_/_/_/_/ > . _/_/ _/_/ _/_/ _/_/ _/_/ > "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ > "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ > "El amor es poner tu felicidad en la felicidad de otro" - Leibniz > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQCVAwUBURpw1Jlgi5GaxT1NAQIryQP/c+q8cmOjfBCZbcVADDluU86Hkui62Hks > vHYzv7zg/XktNM9bDXKWM/tDPAUN/6NfmdTnJ0+n8dBWiFQC7MvNhGaUN6tLdO1Q > gfN6BjTLOFkt88fvEN9cSdqHOr0yFRr/VdCbLS08sMVAk9YYo14jAwKgWfrOcQ8p > 3YMFR3BuskI= > =5yLc > -----END PGP SIGNATURE----- > _______________________________________________ > Catalog-SIG mailing list > [email protected] (mailto:[email protected]) > http://mail.python.org/mailman/listinfo/catalog-sig > >
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
