lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMtf1HuDPOhSANZo=iPS5hPc7pn3hEj=vF63D5oHJ=BvGH=9Cg@mail.gmail.com>
Date: Fri, 12 Dec 2014 11:31:51 +0800
From: Ben Harris <ben@...rr.is>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] How important is salting really?
On 12 December 2014 at 11:13, Peter Maxwell <peter@...icient.co.uk> wrote:
>
> If commonly chosen passwords have an incidence of, say, 0.5% in a database
> (not unreasonable from what I can tell), there is a suitably large number
> of hashes in the database, and the work involved in calculation of a single
> hash is high then it might be of use. For example, a database with 1m
> password hashes implies around 5k duplicates of each of the very most
> common passwords; if those aren't salted then an attacker can both reduce
> their work commitment by the number of duplicates but also readily identify
> them a priori as weak passwords. It does however require the work-per-hash
> to be rather onerous indeed.
>
> There may be a more subtle argument to be made here involving frequency
> distributions of passwords but I'm far too tired at the moment to advance
> it.
>
>
>
>>
Back of the envelope for birthday collision.
Random password with 32-bit entropy (~6 alpha-numeric) - 77 thousand
passwords = 50% chance of duplicate
Random password with 48-bit entropy (~8 alpha-numeric) - 20 million
passwords = 50% chance of duplicate
Random password with 64-bit entropy (~11 alpha-numeric) - 5 billion
passwords = 50% chance of duplicate
And from (https://xato.net/passwords/more-top-worst-passwords/)
4.7% of users have the password password;
8.5% have the passwords password or 123456;
9.8% have the passwords password, 123456 or 12345678;
14% have a password from the top 10 passwords
40% have a password from the top 100 passwords
79% have a password from the top 500 passwords
91% have a password from the top 1000 passwords
Critically, 0.18% of users use 99.6% of the passwords in the database
leaked in that article.
Content of type "text/html" skipped
Powered by blists - more mailing lists