| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Feb 2013 00:01:59 +0000 From: Marsh Ray <maray@...rosoft.com> To: Steve Thomas <steve@...tu.com>, "discussions@...sword-hashing.net" <discussions@...sword-hashing.net> Subject: RE: [PHC] Different cost settings and optional input From: Steve Thomas [mailto:steve@...tu.com] > > Actually we're both wrong. There are 175 million users at the time > of the break in. There are 5,787,239 unique hashes that were > released Do we know if the released unique hashes represented all the unique hashes of the 175 million? That would imply that N_97 =~ 5.8e6. I.e., 96.7% of users chose one of the 5.7 million most common passwords. > (once you remove the first 8 characters of the hash because some > hashes had their first 8 characters zeroed out). Did those turn out to be the easiest to break? There was speculation that attackers had zeroed out the beginning of the ones they'd been able to break. > N_50 = 100,000 > speed = 1 billion/s > > unsalted: 0.1 ms (100,000 / 10^9) > salted: between 4 hrs 52 min and 2 hrs 26 min (175,000,000 * 100,000 / 10^9 to 175,000,000 / 2 * 100,000 / 10^9) So, at least in the absence of a meaningful work factor, we can conclude: 1. If the attacker is targeting a specific user or small set of user(s), salt doesn't help much at all. 2. If the attacker is happy with merely the majority of passwords, salt doesn't help much at all either. It seems like the main thing that salting is good for is giving the users with the most-secure passwords a few hours or days to change their password before it is cracked, assuming the service detected the breach and notified its users immediately. - Marsh
Powered by blists - more mailing lists