On Thu, Jun 7, 2012 at 4:14 PM, Steven Bellovin <[email protected]> wrote: > There's another, completely different issue: does the attacker want a > particular password, or will any passwords from a large set suffice? > > Given the availability of cheap cloud computing, botnets, GPUs, and botnets > with GPUs, Aa * Ah * Ap can be very, very high, i.e., the attacker has a > strong advantage when attacking a particular password. Some say that it's so > high that increasing Ad is essentially meaningless. On the other hand, if > there are many passwords in the set being attacked, a large Ad translates > into a reduction in the fraction that can be attack in any given time frame.
If the attacker can't easily identify the user IDs... If usernames are put through a PBKDF as well to generate the lookup key with which to find the password verifier, how much does the defender gain? For any one password, not much, because there's less entropy in usernames than passwords, so the Ad barely improves -- but if the attacker can't identify that one password then the slight increase in Ad helps slow the attacker's progress through all of the verifiers they have. Moreover, the verifier DB could be peppered with chaff with which to further slow down the attacker. Does this make sense? Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
