**nothing** absolutely protects you from brute force. your bcrypt is just as vulnerable to a plain jane dictionary attack as anything else.
If you have generated all possible passwords, its just a case of (painstakingly slow) trail and error to get you in. Changing the hashing approach wont change this fact... ever. And you wont have access to the salt - unless you completely fail at setting up your production environment. My database and my application server are 2 completely different boxes, protected by 2 completely different passwords. If you gain access to my db, or more likely expose the users table via SQL injection, you don't get the salt. You could brute force them if you had the patience....but no matter the hashing method you are vulnerable to this. A far more likely attack would be an attack at the authorization form itself - automated form bot that tries multiple password combinations until it successfully enters your site. You can mitigate this by using a "3 strikes" rule, and forcing reCAPTCHA on the 4th attempt to slow a bot down.... You've been offered a chance to prove your argument, AD7six has given you a hash - find the password in less than 8 minutes...... On Wed, Sep 14, 2011 at 8:33 AM, Chris Cinelli < [email protected]> wrote: > If you have the access to the DB, you have probably have the access to the > salt too. Salts protect you against rainbow tables, not against brute > forcing. > While to brute force a 46 character password would take more than the life > of our sun, you have to consider what is the bit strength of the average > user. > > According to: http://research.microsoft.com/pubs/74164/www2007.pdf *~20% > of Fidelity, ~20% of NY Times, ~15% of Paypal* have a password with bit > strength of 30 or less. According to that study, this mean that If I know > the hash and salt, you need to try just 2^30 total combinations to find the > password of 45% of Paypal users. Using a ATI HD 5970 (that you can find at > $499 at Buy.com and http://www.golubev.com/hashgpu.htm you can try > 2,300,000 SHA1 hashes a second. > > This mean that you can crack a password of one of that user in 2^30/2300000 > = a little less than 8 minute each. > In reality using a smart dictionary attack and some memory you can > massively reduce this time. Even more if you are willing to pay a little > more for the hardware. > > You can control your own password but only marginally the password of your > users (because it is not great user experience forcing a user to have a 46 > character password). > > bcrypt easily solves the problem and it is not a lot of work to add the > option to use it in cakephp. And if 0.3 sec to login is too long for you you > can reduce the working factor in the algorithm. > > Best, > Chris > > > > On Tue, Sep 13, 2011 at 6:09 AM, AD7six <[email protected]> wrote: > >> >> >> On Sep 13, 3:02 pm, AD7six <[email protected]> wrote: >> > On Sep 13, 3:21 am, Chris Cinelli >> > >> > <[email protected]> wrote: >> > > Read the link I posted. 40 secs to bruteforce crack an hash >> > >> > How about: how long on average to brute force a sha1-ed 46 char a-zA- >> > Z0-9 string? >> > >> > That's the default hash for cake 1.3, and the length of the salted >> > string with a 6 char (weak) password. Quoting numbers for something >> > that is irrelevant is .. irrelevant. >> > >> > AD >> >> Infact here you go: 1b5e8ecd7afdf8f97b5c4ed9793d312eeee9f584 >> >> that's the hash cake would store for a simple password - what was the >> password? >> >> AD >> >> -- >> Our newest site for the community: CakePHP Video Tutorials >> http://tv.cakephp.org >> Check out the new CakePHP Questions site http://ask.cakephp.org and help >> others with their CakePHP related questions. >> >> >> To unsubscribe from this group, send email to >> [email protected] For more options, visit this group >> at http://groups.google.com/group/cake-php >> > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > [email protected] For more options, visit this group > at http://groups.google.com/group/cake-php > -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
