If you have the access to the DB, you have probably have the access to the salt too. Salts protect you against rainbow tables, not against brute forcing. While to brute force a 46 character password would take more than the life of our sun, you have to consider what is the bit strength of the average user.
According to: http://research.microsoft.com/pubs/74164/www2007.pdf *~20% of Fidelity, ~20% of NY Times, ~15% of Paypal* have a password with bit strength of 30 or less. According to that study, this mean that If I know the hash and salt, you need to try just 2^30 total combinations to find the password of 45% of Paypal users. Using a ATI HD 5970 (that you can find at $499 at Buy.com and http://www.golubev.com/hashgpu.htm you can try 2,300,000 SHA1 hashes a second. This mean that you can crack a password of one of that user in 2^30/2300000 = a little less than 8 minute each. In reality using a smart dictionary attack and some memory you can massively reduce this time. Even more if you are willing to pay a little more for the hardware. You can control your own password but only marginally the password of your users (because it is not great user experience forcing a user to have a 46 character password). bcrypt easily solves the problem and it is not a lot of work to add the option to use it in cakephp. And if 0.3 sec to login is too long for you you can reduce the working factor in the algorithm. Best, Chris On Tue, Sep 13, 2011 at 6:09 AM, AD7six <[email protected]> wrote: > > > On Sep 13, 3:02 pm, AD7six <[email protected]> wrote: > > On Sep 13, 3:21 am, Chris Cinelli > > > > <[email protected]> wrote: > > > Read the link I posted. 40 secs to bruteforce crack an hash > > > > How about: how long on average to brute force a sha1-ed 46 char a-zA- > > Z0-9 string? > > > > That's the default hash for cake 1.3, and the length of the salted > > string with a 6 char (weak) password. Quoting numbers for something > > that is irrelevant is .. irrelevant. > > > > AD > > Infact here you go: 1b5e8ecd7afdf8f97b5c4ed9793d312eeee9f584 > > that's the hash cake would store for a simple password - what was the > password? > > AD > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > [email protected] For more options, visit this group > at http://groups.google.com/group/cake-php > -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
