Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #772

Re: Adding Secure Passwords to Linux

Path csiph.com!weretis.net!feeder8.news.weretis.net!paganini.bofh.team!not-for-mail
From Spiros Bousbouras <spibou@gmail.com>
Newsgroups comp.os.linux.security
Subject Re: Adding Secure Passwords to Linux
Date Thu, 15 Jun 2023 20:30:34 -0000 (UTC)
Organization To protect and to server
Message-ID <LLjnsdLcytWABYcN3@bongo-ra.co> (permalink)
References <b5a2266d-b904-4175-bbaf-a4e5139754bbn@googlegroups.com> <20220729083657.53e8c00e@8200cmt> <A3fdFLvyyyKnZ8KuK@bongo-ra.co> <slrnu8e496.28ha.trepidation@vps.jonz.net> <wwvcz20r8dn.fsf@LkoBDZeT.terraraq.uk>
Mime-Version 1.0
Content-Type text/plain; charset=UTF-8
Content-Transfer-Encoding 8bit
Injection-Date Thu, 15 Jun 2023 20:30:34 -0000 (UTC)
Injection-Info paganini.bofh.team; logging-data="2255494"; posting-host="9H7U5kayiTdk7VIdYU44Rw.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A";
Cancel-Lock sha256:FXv2pqwfu3/rHPxow71U2CPurM7/jVxImbssL5qJXRY=
X-Notice Filtered by postfilter v. 0.9.3
X-Server-Commands nowebcancel
X-Organisation Weyland-Yutani
Xref csiph.com comp.os.linux.security:772

Show key headers only | View raw

On Mon, 12 Jun 2023 16:46:28 +0100
Richard Kettlewell <invalid@invalid.invalid> wrote:
> The threat model is an attacker who has acquired a collection of hashed
> passwords; they then attack them on their own equipment via exhaustive
> search.
> 
> Measuring the attacker in terms of attempts per second isn’t always very
> useful though, since the attack scales extremely well.

The defence also scales extremely well , you just add a few more characters
to the password. So how many more characters does one need per GPU an
attacker can throw at the problem ?

> 10^18 SHA256
> hashes per second is within human civilization’s capacity for example.

    64**16 / (10**18 * 3600 * 24 * 366) = 2505 years

Seems pretty safe to me.

> A common approach is to estimate the money cost of recovering a password
> of a given complexity, for instance based on the cost of renting GPU
> capacity from a cloud service provider.

A more "objective" criterion is electricity consumption. So how many
watts of electricity would it take to do 10^18 SHA256 hashes per second ?

-- 
vlaho.ninja/prog

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Adding Secure Passwords to Linux John Savard <quadibloc@gmail.com> - 2022-07-28 11:25 -0700
  Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2022-07-28 21:16 +0100
  Re: Adding Secure Passwords to Linux Marco Moock <mo01@posteo.de> - 2022-07-29 08:36 +0200
    Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-11 10:30 +0000
      Re: Adding Secure Passwords to Linux Allodoxaphobia <trepidation@example.net> - 2023-06-12 12:35 +0000
        Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-12 13:33 +0000
        Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-12 16:46 +0100
          Re: Adding Secure Passwords to Linux Bit Twister <BitTwister@mouse-potato.com> - 2023-06-13 08:10 -0500
            Re: Adding Secure Passwords to Linux "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2023-06-13 15:12 -0400
          Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-15 20:30 +0000
            Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-16 08:29 +0100
              Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-16 11:18 +0000
  Re: Adding Secure Passwords to Linux John McCue <jmccue@magnetar.jmcunx.com> - 2023-06-11 14:28 +0000

csiph-web