![]() ![]() ![]() It's useful if you're sending information out into the wild and you don't want it to be read except by intended individuals (an encryption key is agreed upon during a handshake and all subsequent communication is encrypted and decrypted using the key). The same key can then be used to turn that gibberish back into useful information. They are hashes.Įncryption is the transformation of information into unintelligible gibberish with the use of a key. The word encryption is being repeatedly used here and it should be noted that these stored passwords have nothing to do with encryption. They're not the first and won't be last though, like it was mentioned previously a lot of other companies had problems with hackers which were much more severe (more crucial data/valuable goods stolen). Pity to see S2 take such a huge blow, seeing how I've been supporting them for all those years. Something like remote SQL code execution by random user should not be happening in this day and age. You can achieive a similar result with progressive passes (tens of thousands) of SHA-2, but because of the way bcrypt works vs the way most hashing functions work, bcrypt may be inherently more resistant to attacks (the algorithms are better understood and have no discovered weaknesses).ĮDIT: Also, the math above seems old, 220ms for only 65536 guesses is mad slow for SHA (but the same amount of guesses might take 10 minutes or more with bcrypt).ĮDIT2: It's probably also worth mentioning scrypt (google it), which has a lot in common with bcrypt, but is even more impossible to crack (and once it is better studied will likely become the default resting password encryption).īest encryption is first closing the gaps in the system. What might have taken 16 hours could take them 16 years if you used bcrypt to encrypt your passwords. That's why things like the incredibly slow bcrypt are becoming more and more popular. If they are at rest they are incredibly vulnerable to intelligent attacks (as you point out dumb attacks don't work). SHA hashes are designed for real-time encryption (and they not realistically crackable when used for that purpose, although weaknesses have been discovered in SHA-2, though they haven't been exploited AFAIK in the real world). There are more intelligent (and orders of magnitude faster by using parrallel computing hardware, eg: GPUs) methods of brute force, but it's far more likely that you are going to use dictionary attacks which means 90%+ of the passwords will be cracked within a few days (or possibly within a few hours depending on the encryption used). This assumes a dumb brute-force attack which you are almost never going to use (or at least you shouldn't). No human technology will be able to crunch this number into something acceptable. And it doesn't get much better with the fastest hardware on the planet computing thousands of hashes in parallel. So 2^256 computations would be done in 2^240 * 2^16 computations which would takeĢ^240 * 2^-2 = 2^238 ~ 10^72s ~ 3,17 * 10^64 yearsĮven calling this millions of years is ridiculous. Assuming 32 byte input (which is reasonable for your case - 20 bytes salt + 12 bytes password) my machine takes ~0,22s (~2^-2s) for 65536 (=2^16) computations. To get a feeling for what 2^256 actually means: currently it is believed that the number of atoms in the (entire!!!) universe is roughly 10^80 which is roughly 2^266. Given there are no clever attacks on the algorithm itself (currently none are known for the SHA-2 hash family) this is what it takes to break the algorithm. SHA-2 has an output size of 512 bits, so finding a collision would take O(2^256) time. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |