Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #770
| From | Bit Twister <BitTwister@mouse-potato.com> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | Re: Adding Secure Passwords to Linux |
| Date | 2023-06-13 08:10 -0500 |
| Organization | A noiseless patient Spider |
| Message-ID | <slrnu8gqn4.22d8g.BitTwister@wb.home.arpa> (permalink) |
| References | <b5a2266d-b904-4175-bbaf-a4e5139754bbn@googlegroups.com> <20220729083657.53e8c00e@8200cmt> <A3fdFLvyyyKnZ8KuK@bongo-ra.co> <slrnu8e496.28ha.trepidation@vps.jonz.net> <wwvcz20r8dn.fsf@LkoBDZeT.terraraq.uk> |
On Mon, 12 Jun 2023 16:46:28 +0100, Richard Kettlewell wrote: > Allodoxaphobia <trepidation@example.net> writes: >> On Sun, 11 Jun 2023 10:30:40 -0000 (UTC), Spiros Bousbouras wrote: >>> On Fri, 29 Jul 2022 08:36:57 +0200 >>> Marco Moock <mo01@posteo.de> wrote: >>>> I depends on the length. Longer passwords are better. The process of >>>> cracking passwords when a hash table is available, even if salted, is >>>> decreasing because GPUs become faster and this process can easily be >>>> split on many machines. >>>> There are some steps that can increase the time: >>>> >>>> Longer passwords (The amount of time needed increases exponential with >>>> the length of the pw) >>> >>> Assume that an attacker can test 10**12 passwords per second. >> >> What internet-facing firewall would entertain 10**12 password attemps >> per second?!?! > > The threat model is an attacker who has acquired a collection of hashed > passwords; they then attack them on their own equipment via exhaustive > search. > > Measuring the attacker in terms of attempts per second isn’t always very > useful though, since the attack scales extremely well. 10^18 SHA256 > hashes per second is within human civilization’s capacity for example. > > A common approach is to estimate the money cost of recovering a password > of a given complexity, for instance based on the cost of renting GPU > capacity from a cloud service provider. > Surprised during speed calculation discussion no one has mention rainbow tables. https://en.wikipedia.org/wiki/Rainbow_table Also is what type of attack? If guessing in during login there would be the authorization failure delay to add to the crack duration time.
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
Adding Secure Passwords to Linux John Savard <quadibloc@gmail.com> - 2022-07-28 11:25 -0700
Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2022-07-28 21:16 +0100
Re: Adding Secure Passwords to Linux Marco Moock <mo01@posteo.de> - 2022-07-29 08:36 +0200
Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-11 10:30 +0000
Re: Adding Secure Passwords to Linux Allodoxaphobia <trepidation@example.net> - 2023-06-12 12:35 +0000
Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-12 13:33 +0000
Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-12 16:46 +0100
Re: Adding Secure Passwords to Linux Bit Twister <BitTwister@mouse-potato.com> - 2023-06-13 08:10 -0500
Re: Adding Secure Passwords to Linux "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2023-06-13 15:12 -0400
Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-15 20:30 +0000
Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-16 08:29 +0100
Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-16 11:18 +0000
Re: Adding Secure Passwords to Linux John McCue <jmccue@magnetar.jmcunx.com> - 2023-06-11 14:28 +0000
csiph-web