[Catalog-sig] Pull request to migrate PyPI to bcrypt
Donald Stufft
donald.stufft at gmail.com
Tue Feb 12 18:01:57 CET 2013
On Tuesday, February 12, 2013 at 11:41 AM, Jesus Cea wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 11/02/13 14:38, Donald Stufft wrote:
> > What were they hashed with? Even with a salt a fast hash is trivial
> > to bruteforce for a large number of passwords in practically no
> > time with trivial hardware.
> >
>
>
> Not if your salt has 256 bits of entropy.
>
> Usual approach would be to use two salts: a personal salt per user,
> stored in a different database of the hashed password (to reduce the
> posibility of the same bug affecting both databases), and a global per
> site salt, stored outside of the database.
>
> Salts can be big. You can't not brute-force a 256 bit salt.
You don't need to bruteforce a salt, if the application knows it you can
assume the attacker will know it either by directly using your login
routines, or having stolen it along with your database. The only thing
you're bruteforcing is the unknown element, e.g. the users password.
Commodity hardware can easily break 192MiB/s[1] in sha1, even more
if you invest in hardware.
A 256bit salt is practically meaningless in terms of bruteforcing the unknown
element.
[1] http://www.cryptopp.com/benchmarks-amd64.html
>
> - --
> Jesús Cea Avión _/_/ _/_/_/ _/_/_/
> jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
> jabber / xmpp:jcea at jabber.org (mailto:jcea at jabber.org) _/_/ _/_/ _/_/_/_/_/
> . _/_/ _/_/ _/_/ _/_/ _/_/
> "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
> "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
> "El amor es poner tu felicidad en la felicidad de otro" - Leibniz
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQCVAwUBURpw1Jlgi5GaxT1NAQIryQP/c+q8cmOjfBCZbcVADDluU86Hkui62Hks
> vHYzv7zg/XktNM9bDXKWM/tDPAUN/6NfmdTnJ0+n8dBWiFQC7MvNhGaUN6tLdO1Q
> gfN6BjTLOFkt88fvEN9cSdqHOr0yFRr/VdCbLS08sMVAk9YYo14jAwKgWfrOcQ8p
> 3YMFR3BuskI=
> =5yLc
> -----END PGP SIGNATURE-----
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130212/37142a9c/attachment.html>
More information about the Catalog-SIG
mailing list