Because you don't understand that different applications are different. If sugar is bad for you, why is it legal to sell fruit?
On 15 September 2025 08:06:47 CEST, Vasilenko Eduard via NANOG <[email protected]> wrote: >If it is so easy to enforce long enough and random enough passwords, >Then why did IT people move to hashes with much lower speed? > >Take, for example, 16 really random letters (on keyboard), then the time to >check all MD5s would go to 9.2B years (for the same 8 cards "NVIDIA GeForce >RTX 5090"). >Even if the attacker gets access to 100k of "NVIDIA GeForce RTX 5090", it is >still 0.72M years. >16 random letters are definitely enough for the purpose. >Ed/ >-----Original Message----- >From: Jay Acuna via NANOG <[email protected]> >Sent: Friday, September 12, 2025 18:17 >To: North American Network Operators Group <[email protected]> >Cc: Jay Acuna <[email protected]> >Subject: Re: MD5 is too fast > >On Thu, Sep 11, 2025 at 10:17 AM nanog--- via NANOG <[email protected]> >wrote: >> > >See; The simple policy of: Routing protocol keys are to be created using >"pwgen 85" or at least "pwgen 38". >Never create a key by hand. This rule preferably applies to all `passwords' >sent over the network or keys which secure a network protocol, even if >encrypted transport is used, and even if hashed. > >> Have you calculated how long it should take to test all 80-bit passwords? >> 200-bit passwords? 2000-bit passwords? >A password with 80bits randomness or entropy (An ~11-character properly >generated random password) contains 2^80 = 1208925819614629174706176 >possibilities. > >If you can make 1 Trillion guesses per second, then it takes on average 19167 > years to crack. >That is the expectation if the hash is secure. >You divide the number of possibilities by (two times the number of guesses >per second)*86400*365. >Current hardware gets you 80 million guesses per second per GPU for about >$1800 per node, So the 1 trillion guesses per second is 12,500 hardware nodes >obtainable by spending approximately $22.5 million. > >At that rate you need approximately 10 years' worth of brute forcing before >you have a >= 0.1% chance of guessing it randomly. > >Each additional bit doubles the figures up to approximately 128 bits. >Where you are looking at a 5395141535403007094 years to crack on average. >Adding bits will eventually reach the problem that your hashing algorithm only >maps inputs to 256 bits of output, so the adversary could guess a different >password from yours which happens to hash to the same value as the correct one. > >> Suppose that a good server can try about a billion passwords per second. How >> long do you think it takes to try all the passwords? >-- >-JA >_______________________________________________ >NANOG mailing list >https://lists.nanog.org/archives/list/[email protected]/message/BNJVO2FJCT7CPD5FZSOWRBAZCJLPCNVZ/ >_______________________________________________ >NANOG mailing list >https://lists.nanog.org/archives/list/[email protected]/message/FRWYU5IWBZU3F73ILPW5ABLRDUGOUBG2/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/AOXWCH6QVEEX6EUUGCJCXA5EVUSV44F4/
