Il giorno 12/feb/2013, alle ore 17:41, Jesus Cea <[email protected]> ha scritto:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/02/13 14:38, Donald Stufft wrote: >> What were they hashed with? Even with a salt a fast hash is trivial >> to bruteforce for a large number of passwords in practically no >> time with trivial hardware. > > Not if your salt has 256 bits of entropy. The size of the salt does not influence bruteforcing, since the salt is part of the password hash, so it's known to the attacker. You just load salt+hash into John The Ripper, and bruteforce it. This cluster of 25 consumer Radeon cards: http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ can crack SHA1+salt at 63 billion guesses *per second*. Just to give an idea, if you consider a character set of 80 characters (lowercase, uppercase, numbers, plus symbols), all combinations up to 6 characters can be cracked by that cluster in 4,25 seconds (for each given salt). Up to 7 chars in 337 seconds. Up to 9 chars in 25 days. Obviously, it's actually worse than that, because attackers will use dictionary attacks (with builtin leetification, etc.). So SHA1+salt is indeed broken, for good. > Usual approach would be to use two salts: a personal salt per user, > stored in a different database of the hashed password (to reduce the > posibility of the same bug affecting both databases), and a global per > site salt, stored outside of the database. If I understand you correctly, this second "site salt" is not a salt but a secret, and you shouldn't use it directly within SHA1, but through a PRF. I sent an email yesterday about this: http://mail.python.org/pipermail/catalog-sig/2013-February/005081.html -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
