Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #772

Re: Adding Secure Passwords to Linux

From Spiros Bousbouras <spibou@gmail.com>
Newsgroups comp.os.linux.security
Subject Re: Adding Secure Passwords to Linux
Date 2023-06-15 20:30 +0000
Organization To protect and to server
Message-ID <LLjnsdLcytWABYcN3@bongo-ra.co> (permalink)
References <b5a2266d-b904-4175-bbaf-a4e5139754bbn@googlegroups.com> <20220729083657.53e8c00e@8200cmt> <A3fdFLvyyyKnZ8KuK@bongo-ra.co> <slrnu8e496.28ha.trepidation@vps.jonz.net> <wwvcz20r8dn.fsf@LkoBDZeT.terraraq.uk>

Show all headers | View raw

On Mon, 12 Jun 2023 16:46:28 +0100
Richard Kettlewell <invalid@invalid.invalid> wrote:
> The threat model is an attacker who has acquired a collection of hashed
> passwords; they then attack them on their own equipment via exhaustive
> search.
> 
> Measuring the attacker in terms of attempts per second isn’t always very
> useful though, since the attack scales extremely well.

The defence also scales extremely well , you just add a few more characters
to the password. So how many more characters does one need per GPU an
attacker can throw at the problem ?

> 10^18 SHA256
> hashes per second is within human civilization’s capacity for example.

    64**16 / (10**18 * 3600 * 24 * 366) = 2505 years

Seems pretty safe to me.

> A common approach is to estimate the money cost of recovering a password
> of a given complexity, for instance based on the cost of renting GPU
> capacity from a cloud service provider.

A more "objective" criterion is electricity consumption. So how many
watts of electricity would it take to do 10^18 SHA256 hashes per second ?

-- 
vlaho.ninja/prog

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Adding Secure Passwords to Linux John Savard <quadibloc@gmail.com> - 2022-07-28 11:25 -0700
  Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2022-07-28 21:16 +0100
  Re: Adding Secure Passwords to Linux Marco Moock <mo01@posteo.de> - 2022-07-29 08:36 +0200
    Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-11 10:30 +0000
      Re: Adding Secure Passwords to Linux Allodoxaphobia <trepidation@example.net> - 2023-06-12 12:35 +0000
        Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-12 13:33 +0000
        Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-12 16:46 +0100
          Re: Adding Secure Passwords to Linux Bit Twister <BitTwister@mouse-potato.com> - 2023-06-13 08:10 -0500
            Re: Adding Secure Passwords to Linux "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2023-06-13 15:12 -0400
          Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-15 20:30 +0000
            Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-16 08:29 +0100
              Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-16 11:18 +0000
  Re: Adding Secure Passwords to Linux John McCue <jmccue@magnetar.jmcunx.com> - 2023-06-11 14:28 +0000

csiph-web