Path: csiph.com!weretis.net!feeder8.news.weretis.net!paganini.bofh.team!not-for-mail
From: Spiros Bousbouras <spibou@gmail.com>
Newsgroups: comp.os.linux.security
Subject: Re: Adding Secure Passwords to Linux
Date: Sun, 11 Jun 2023 10:30:40 -0000 (UTC)
Organization: To protect and to server
Message-ID: <A3fdFLvyyyKnZ8KuK@bongo-ra.co>
References: <b5a2266d-b904-4175-bbaf-a4e5139754bbn@googlegroups.com> <20220729083657.53e8c00e@8200cmt>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 11 Jun 2023 10:30:40 -0000 (UTC)
Injection-Info: paganini.bofh.team; logging-data="366719"; posting-host="9H7U5kayiTdk7VIdYU44Rw.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A";
Cancel-Lock: sha256:O7KGsCgLo7cQp1W3OCXjA6AfsJsrathBnO3yxO1IlHI=
X-Organisation: Weyland-Yutani
X-Notice: Filtered by postfilter v. 0.9.3
X-Server-Commands: nowebcancel
Xref: csiph.com comp.os.linux.security:765

On Fri, 29 Jul 2022 08:36:57 +0200
Marco Moock <mo01@posteo.de> wrote:
> On Thu, 28 Jul 2022 11:25:49 -0700 (PDT)
> John Savard <quadibloc@gmail.com> wrote:
> 
> > I just encountered an article saying that, since today's GPUs are so
> > powerful, there's no such thing as a secure password any more.
> 
> I depends on the length. Longer passwords are better. The process of
> cracking passwords when a hash table is available, even if salted, is
> decreasing because GPUs become faster and this process can easily be
> split on many machines.
> There are some steps that can increase the time:
> 
> Longer passwords (The amount of time needed increases exponential with
> the length of the pw)

Assume that an attacker can test 10**12 passwords per second. Lets say
that we create a password using an alphabet which has
    A-Z a-z 0-9 ,.

which makes it a round (in binary !) 64 characters. If we have a uniform
random way to pick a character for each position of the password then
in order to brute force a password with 16 characters would take

    64**16 / (10**12 * 3600 * 24 * 366) = 2505444321 years

where I have assumed for simplicity that each year has 366 days.

Is there something seriously wrong with my calculations ? If not then
I don't see a problem. For picking uniform random values ,
/dev/random  and  /dev/urandom  fit the bill.

-- 
Advances in the psychic and related sciences may bring means of
exploring unexpressed beliefs, thoughts and emotions.
  MR. JUSTICE BRANDEIS
  http://supreme.justia.com/cases/federal/us/277/438/case.html