> On October 27, 2017 at 11:27 PM Joseph Tam <[email protected]> wrote: > > > Aki Tuomi wrote: > > > The use of salt, today, is to prevent the attacker from directly seeing > > who has same passwords. Of course it also will make a rainbow table > > attack less useful, > > Not just less useful, but almost infeasible. Given the use of random > salts, you would have to generate (number of possible salts) rainbow > tables. This drastically changes the CPU/storage tradeoffs. > > > but then again, no one uses rainbow tables anymore > > since it takes about few minutes to brute force a password in the cloud > > or on your home computer GPU. SHA512-CRYPT uses by default 4000 rounds > > on dovecot, to make it more computationally expensive, but still it's > > not very strong protection anymore. > > I know it is theoretically possible, but really, how feasible is it? > The way people talk about it, they make it sound trivial. As a test, > I just generated a hash using "doveadm pw". Any takers? > > > {SHA512-CRYPT}$6$qyQANQFbQGqOSqHh$Z4YVIe.QakXtWs63lWUmzlseKpiFzfPCKhwM0NQk8jP6QeRmk6POkCdSrFBmVO2wh.dgPCPA7Gq3sNUeKOZLM/ >
A random article on the internet says it's rather feasible if you want passwords cracked. Of course if the passwords are longer than, say, 8 characters, it becomes less feasible. My point wasn't to say that SHA512 is fully insecure, and adding rounds does make it less so as the expenses rack up. https://killtacknine.com/test-driving-google-cloud-gpus-with-hashcat/ It's not available on the graphics (puzzling), but if you look at the gist, it'll show that SHA512-CRYPT is cracked at 247.9 kH/s and MD5-CRYPT (salted MD5) at 17579.7 kH/s. As comparison, straight non-salted SHA512 goes at 1402.7 MH/s and MD5 with no salting at 33677.6 MH/s. For reference, DIGEST-MD5 uses MD5(username:realm:password) as the stored credential, which is pretty much straight MD5 for cracking. https://gist.github.com/anonymous/1fa176d82af79e879a9efa74c9d1c970 > > MD5 with or without salt can be ATTAcked at passwords per second speed, > > so using CRAM-MD5 of DIGEST-MD5 is very very poor choice. Anything with > > MD5 should not be used for passwords these days. > > > > With Dovecot 2.3 we are making BLF-CRYPT available on all platforms, and > > also adding support for ARGON2 when you have libsodium available. > > Straight hashes, without question, are weak. I routinely break NTLM hashes > with rainbow tables. I'm *not* arguing against the use of stronger > hashes, I'm just skeptical of the FUD surrounding the user of older > salted hashes. This is especially true if the hashes are guarded > against leakage, as most are. Strong crypt-hashes are an extra layer > of protection (defense in depth). > Yet these leaks, they seem to occur. > This page (if you trust 3rd parties) will report whether a password > was ever found in a breached databases. You can also download the > SHA1 hashes of all their known cracked passwords. It's big -- 5.3Gb > 7-zipped file. > > https://haveibeenpwned.com/Passwords > > "j.emerlik" further asks: > > > You mean that today they using encrypted passwords to seeing > > who has same passwords using brute force, hashes dictionary attack ? > > They precompute hashes for large number of password candidates, then > look up hashes in that table. Rainbow tables are a way of folding large > tables into a smaller ones, trading off space for extra CPU time. > > However, for hashes that use non-trivial salts, you would need to > precompute an astronomically large number of tables. An attacker might > be better off with a straight CPU-bound brute force search. > > Joseph Tam <[email protected]>
