Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #773
| From | Richard Kettlewell <invalid@invalid.invalid> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | Re: Adding Secure Passwords to Linux |
| Date | 2023-06-16 08:29 +0100 |
| Organization | terraraq NNTP server |
| Message-ID | <wwvilbndfwf.fsf@LkoBDZeT.terraraq.uk> (permalink) |
| References | (1 earlier) <20220729083657.53e8c00e@8200cmt> <A3fdFLvyyyKnZ8KuK@bongo-ra.co> <slrnu8e496.28ha.trepidation@vps.jonz.net> <wwvcz20r8dn.fsf@LkoBDZeT.terraraq.uk> <LLjnsdLcytWABYcN3@bongo-ra.co> |
Spiros Bousbouras <spibou@gmail.com> writes: > Richard Kettlewell <invalid@invalid.invalid> wrote: >> The threat model is an attacker who has acquired a collection of >> hashed passwords; they then attack them on their own equipment via >> exhaustive search. >> >> Measuring the attacker in terms of attempts per second isn’t always >> very useful though, since the attack scales extremely well. > > The defence also scales extremely well , you just add a few more > characters to the password. So how many more characters does one need > per GPU an attacker can throw at the problem ? I don’t agree that passwords scale ‘extremely well’ - the longer a password is the harder it is to remember, and end users start using a variety of tricks to avoid having to do so, e.g. repeated components, sequences of dictionary words, etc. The real search space does not actually expand as fast as you would think. >> 10^18 SHA256 >> hashes per second is within human civilization’s capacity for example. > > 64**16 / (10**18 * 3600 * 24 * 366) = 2505 years > > Seems pretty safe to me. > >> A common approach is to estimate the money cost of recovering a password >> of a given complexity, for instance based on the cost of renting GPU >> capacity from a cloud service provider. > > A more "objective" criterion is electricity consumption. So how many > watts of electricity would it take to do 10^18 SHA256 hashes per second ? Money seems more objective to me, given that’s the resource someone has to actually spend to recover a password, and to measure against the value of the password. There is zero point spending $1M (whether directly on power, or indirecly as cloud GPU rental) to recover a password that you can only exploit for $1000 of value. -- https://www.greenend.org.uk/rjk/
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
Adding Secure Passwords to Linux John Savard <quadibloc@gmail.com> - 2022-07-28 11:25 -0700
Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2022-07-28 21:16 +0100
Re: Adding Secure Passwords to Linux Marco Moock <mo01@posteo.de> - 2022-07-29 08:36 +0200
Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-11 10:30 +0000
Re: Adding Secure Passwords to Linux Allodoxaphobia <trepidation@example.net> - 2023-06-12 12:35 +0000
Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-12 13:33 +0000
Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-12 16:46 +0100
Re: Adding Secure Passwords to Linux Bit Twister <BitTwister@mouse-potato.com> - 2023-06-13 08:10 -0500
Re: Adding Secure Passwords to Linux "David W. Hodgins" <dwhodgins@nomail.afraid.org> - 2023-06-13 15:12 -0400
Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-15 20:30 +0000
Re: Adding Secure Passwords to Linux Richard Kettlewell <invalid@invalid.invalid> - 2023-06-16 08:29 +0100
Re: Adding Secure Passwords to Linux Spiros Bousbouras <spibou@gmail.com> - 2023-06-16 11:18 +0000
Re: Adding Secure Passwords to Linux John McCue <jmccue@magnetar.jmcunx.com> - 2023-06-11 14:28 +0000
csiph-web