Path: csiph.com!news.mixmin.net!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Spiros Bousbouras <spibou@gmail.com>
Newsgroups: comp.os.linux.security
Subject: Re: Adding Secure Passwords to Linux
Date: Mon, 12 Jun 2023 13:33:49 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 33
Message-ID: <bdGQWDsP2TEADyhtG@bongo-ra.co>
References: <b5a2266d-b904-4175-bbaf-a4e5139754bbn@googlegroups.com> <20220729083657.53e8c00e@8200cmt> <A3fdFLvyyyKnZ8KuK@bongo-ra.co> <slrnu8e496.28ha.trepidation@vps.jonz.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Mon, 12 Jun 2023 13:33:49 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="3578e741a720aa99ba7018b3a239731e"; logging-data="3294453"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX18WtRIeRNqV04mm3fdanyb6"
Cancel-Lock: sha1:M8PrnURx15nlGV890RK1BRogMqc=
X-Server-Commands: nowebcancel
In-Reply-To: <slrnu8e496.28ha.trepidation@vps.jonz.net>
X-Organisation: Weyland-Yutani
Xref: csiph.com comp.os.linux.security:768

On 12 Jun 2023 12:35:50 GMT
Allodoxaphobia <trepidation@example.net> wrote:
> On Sun, 11 Jun 2023 10:30:40 -0000 (UTC), Spiros Bousbouras wrote:
> > On Fri, 29 Jul 2022 08:36:57 +0200
> > Marco Moock <mo01@posteo.de> wrote:
> >> On Thu, 28 Jul 2022 11:25:49 -0700 (PDT)
> >> John Savard <quadibloc@gmail.com> wrote:
> >> 
> >> > I just encountered an article saying that, since today's GPUs are so
> >> > powerful, there's no such thing as a secure password any more.
> >> 
> >> I depends on the length. Longer passwords are better. The process of
> >> cracking passwords when a hash table is available, even if salted, is
> >> decreasing because GPUs become faster and this process can easily be
> >> split on many machines.
> >> There are some steps that can increase the time:
> >> 
> >> Longer passwords (The amount of time needed increases exponential with
> >> the length of the pw)
> >
> > Assume that an attacker can test 10**12 passwords per second. 
> 
> What internet-facing firewall would entertain 10**12 password attemps
> per second?!?!

That's besides the point. The posts I quoted address the issue of whether
GPUs are so powerful that you can't create a password of reasonable length
which cannot be cracked through brute force. I provided a simple calculation
which suggests that , even with an attacker with extraordinary computing
power available , a password with only 16 characters would be safe.

-- 
vlaho.ninja/prog