On Tue, Aug 12, 2014 at 1:07 PM, Anton Aylward <opensuse@antonaylward.com> wrote:
Now I admit that given enough computing power even one-way salted encryption might not be enough. Encryption has always been a catch-up game, but SHA-2 or SHA3 in 512 bit mode should hold against all except the NSA (and overseas equivalents) and botnets-of-GPUs.
My ignorance is showing. Even with the best one-way salted encryption how long does it take to crack a password if it is only 5 chars long? My belief/assumption is it doesn't take long to brute-force a short password regardless of the encryption used. I use 4 chars for throw-away sites - 8 chars for sites I care about, but not that much (facebook / linked-in). 18 chars for things I really care about. With a 18 char password, even the weakest encryption scheme should be relatively secure unless your password is in a rainbow table. Therefore, my 18 char passwords are also passwords I'm guessing no one else in the world is using. The counter example is windows XP / windows 2000 server / windows 2003 server with the LM hash feature in use. The algorithm for LM hash truncates the password to 16-chars then hashes the first 8 chars and the second 8 chars separately. Then end result is effectively just 2 8-char passwords. It also doesn't use a salt, so it allows for extremely quick password cracking even if the user used what seemed like a very secure password. Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org