Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #769

Re: Adding Secure Passwords to Linux

From Richard Kettlewell <invalid@invalid.invalid>
Newsgroups comp.os.linux.security
Subject Re: Adding Secure Passwords to Linux
Date 2023-06-12 16:46 +0100
Organization terraraq NNTP server
Message-ID <wwvcz20r8dn.fsf@LkoBDZeT.terraraq.uk> (permalink)
References <b5a2266d-b904-4175-bbaf-a4e5139754bbn@googlegroups.com> <20220729083657.53e8c00e@8200cmt> <A3fdFLvyyyKnZ8KuK@bongo-ra.co> <slrnu8e496.28ha.trepidation@vps.jonz.net>

Show all headers | View raw

Allodoxaphobia <trepidation@example.net> writes:
> On Sun, 11 Jun 2023 10:30:40 -0000 (UTC), Spiros Bousbouras wrote:
>> On Fri, 29 Jul 2022 08:36:57 +0200
>> Marco Moock <mo01@posteo.de> wrote:
>>> I depends on the length. Longer passwords are better. The process of
>>> cracking passwords when a hash table is available, even if salted, is
>>> decreasing because GPUs become faster and this process can easily be
>>> split on many machines.
>>> There are some steps that can increase the time:
>>> 
>>> Longer passwords (The amount of time needed increases exponential with
>>> the length of the pw)
>>
>> Assume that an attacker can test 10**12 passwords per second. 
>
> What internet-facing firewall would entertain 10**12 password attemps
> per second?!?!

The threat model is an attacker who has acquired a collection of hashed
passwords; they then attack them on their own equipment via exhaustive
search.

Measuring the attacker in terms of attempts per second isn’t always very
useful though, since the attack scales extremely well. 10^18 SHA256
hashes per second is within human civilization’s capacity for example.

A common approach is to estimate the money cost of recovering a password
of a given complexity, for instance based on the cost of renting GPU
capacity from a cloud service provider.

-- 
https://www.greenend.org.uk/rjk/

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Adding Secure Passwords to Linux John Savard <quadibloc@gmail.com> - 2022-07-28 11:25 -0700
  Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2022-07-28 21:16 +0100
  Re: Adding Secure Passwords to Linux Marco Moock <mo01@posteo.de> - 2022-07-29 08:36 +0200
    Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-11 10:30 +0000
      Re: Adding Secure Passwords to Linux Allodoxaphobia <trepidation@example.net> - 2023-06-12 12:35 +0000
        Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-12 13:33 +0000
        Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-12 16:46 +0100
          Re: Adding Secure Passwords to Linux Bit Twister <BitTwister@mouse-potato.com> - 2023-06-13 08:10 -0500
            Re: Adding Secure Passwords to Linux "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2023-06-13 15:12 -0400
          Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-15 20:30 +0000
            Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-16 08:29 +0100
              Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-16 11:18 +0000
  Re: Adding Secure Passwords to Linux John McCue <jmccue@magnetar.jmcunx.com> - 2023-06-11 14:28 +0000

csiph-web