On 08/12/2014 03:30 PM, Greg Freemyer wrote:
So even if you took the windows NTLM algorithm and added a proper salt feature, any single 16-char or shorter password could be cracked in 5 1/2 hours or less.
The important thing you are saying here is "windows NTLM". I've mentioned web sites with poor security. If the hacker can grab the site's database giving him both the hashed password AND the individual salt AND the algorithm then ... FINIS! But if the whole code is mucked up and inadequate, broken by design, as you described this earlier, then salt is .... Lipstick on a Pig. Five hours or less ... Maybe not even that.
That may be fine for most things we secure, but if you have a secret you truly want to secure from targeted bad actors, a 16-char password is simply not long enough anymore. My personal recommendation of 18-chars is even sounding too short.
Poetry man. Engineers may think that their high school English Lit classes were a waste, but LO! We now have an application for all that poetry! -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org