Seems incorrect; 10 "Numbers, Upper and Lowercase Letters" is 64^10 = 2^60, and with properly applied key stretching (a difficulty factor of 2^30, say), that's 2^90. To do 2^90 hash operations in 3 weeks would require to do almost 700 quintillion hash operations per second. Bitcoin hashrate is 7.983.858 terahashes per second, almost a hundred times lower. Hivesystems is proposing "a hacker" with a hundred times as much power as the entire Bitcoin network, assuming your PBKDF's difficulty factor is set to 2^30.

Tuta  
Time it takes for a hacker to brute force your password. #Cybersecurity Good to know: Tutanota checks your password upon signup and makes sure it...

Oh, reading the page at hivesystems.io/blog/are-your-p, they're assuming your password hashing algorithm is just plain MD5 without any hash iteration, claiming is "2018 cybersecurity practices". @Tutanota, please tell me are not hashing your users' passwords with plain MD5 without any hash iteration? Because Unix has iterated its password hashing function since 7th edition Unix, 25 iterations of modified DES: en.wikipedia.org/wiki/Crypt_(C. That was in 1979. The password encryption approach Hive is suggesting has been known to be bad practice since 1979. When PHK implemented md5crypt for BSD in the 90s, it used 1000 iterations of MD5. A single iteration is not 2018 practice.

(Some people surely did commit this error in building their systems.)

Aren't actually proposing "a hacker" with a hundred times as much power as the entire Bitcoin network; are proposing to rent eight A100 GPUs from Amazon AWS which they say would get 523 billion hashes per second, the which is 16 million times less compute than the Bitcoin network. At this speed 2^90 hashes would take 75 million years, not the 3 weeks they state, the which is correct for 2^60.

Follow

md5crypt() is from 1995, and although has been deprecated since 2012 because is too fast to be secure nowadays, cracking it takes 1000 times longer than Hive is claiming (or, more specifically, than @Tutanota is claiming by their choice of one of Hive's images.)

Is that what the password data breaches they talk about were using? Or were they really just using single-iteration MD5 like a fresh bootcamp graduate?

web.archive.org/web/2018031716

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.