On 22.07.2017 11:54, Mark Rotteveel wrote:
On 21-7-2017 13:00, Alex via Firebird-devel wrote:
Yes, but SHA1 weakness becomes important only when password becomes
as long as hash, i.e. 20 bytes for sha1. Without enforcing users to
have long passwords replacing hash makes no sense.
That is unfortunately not true. The weakness that allows one to
produce a collision is not relevant here. The problem is purely one of
speed. Plain SHA1 used for passwords are now 'trivially' bruteforced
using GPUs (trivial compared to other algorithms, and especially for
shorter passwords).
Eg see https://www.troyhunt.com/our-password-hashing-has-no-clothes/
(from 2012), a single GPU could try 2.2 billion hashes per second. And
he demonstrates that from a sample of 40000 passwords hashed using
SHA-1 + salt he can easily crack 63% of them within 44 minutes, and
that was 5 years ago.
The consensus in the security industry is that plain SHA1 (or any
plain cryptographic hashing algorithm) even with salt is not suitable
for passwords, and that an algorithm like PBKDF2, bcrypt, scrypt, etc
should be used. See also
https://patrickmn.com/security/storing-passwords-securely/
However if I recall the discussion about SRP, SRP doesn't actually
store the hash of the password itself, but calculates a sort of public
/ private key that can be used in an authentication challenge to see
if the user used the original password for authentication. I'm not
sure about the strengths or weaknesses of that.
SRP does store the value derived from the following hash: SHA1(salt,
SHA1(login || ':' || password)). Word 'derived' is probably important
from bruteforcing POV - in contains operations with BigIntegers
increasing volume of computations. Must say never compared how much but
it includes 1024-bit prime value.
From SRP authors POV SHA1's weakness to collisions does not compromise SRP:
https://tools.ietf.org/html/rfc5054#page-13
But what about a case with stolen hashes - I do not believe in algorithm
that remains secure with 1 byte long password :D
And as I've already said choosing an algorithm with high computational
price is not good choice for a server due to dos attacks. On contrary
use of long random passwords on server and moving big computations to
client can provide both bruteforce and dos attacks resistance.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
