On Tue, Aug 12, 2014 at 1:47 PM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Tue, Aug 12, 2014 at 1:07 PM, Anton Aylward <opensuse@antonaylward.com> wrote:
Now I admit that given enough computing power even one-way salted encryption might not be enough. Encryption has always been a catch-up game, but SHA-2 or SHA3 in 512 bit mode should hold against all except the NSA (and overseas equivalents) and botnets-of-GPUs.
My ignorance is showing.
Even with the best one-way salted encryption how long does it take to crack a password if it is only 5 chars long?
My belief/assumption is it doesn't take long to brute-force a short password regardless of the encryption used. I use 4 chars for throw-away sites - 8 chars for sites I care about, but not that much (facebook / linked-in). 18 chars for things I really care about.
Anton pointed me at: http://en.wikipedia.org/wiki/Salt_%28cryptography%29#Benefits It implies the salt is basically a open secret, but unique to each user. Thus a brute force attack takes exactly the same amount of time for a salted or un-salted password system. The difference is that a rainbow table attack is defeated by a good, long, random salt. On the other-hand, the system I linked to before (http://www.techspot.com/news/51044-25-gpu-cluster-can-brute-force-windows-pa...) can brute force the full 16-char password space of Windows 2003 in 5.5 hours. So even if you took the windows NTLM algorithm and added a proper salt feature, any single 16-char or shorter password could be cracked in 5 1/2 hours or less. That may be fine for most things we secure, but if you have a secret you truly want to secure from targeted bad actors, a 16-char password is simply not long enough anymore. My personal recommendation of 18-chars is even sounding too short. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org