Bitcoin Forum
December 03, 2016, 05:54:28 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 [4]  All
  Print  
Author Topic: Public Safety Announcement: On the subject of password security  (Read 5205 times)
mrb
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
June 27, 2011, 10:52:36 AM
 #61

No. My point is: use industry standards like PHP's builtin crypt() CRYPT_SHA512 mode. They are an excellent compromise between CPU time & strength.

You have no reason to refuse to follow industry standards.

So was MD5 10 years ago...

You've a GOOD reason to NOT follow industry standards actually; it's called "Rainbow Tables" and alike.
MD5 was never broken, NTLM was never broken, all of those 1-way hashing mechanisms were never broken, what happened is that they're "industry standards", so it become easy to create dbs with their possible contents.

If you had any education whatsoever in the area of password hashing, you would know that CRYPT_SHA512 is immune to rainbow tables thanks to its unique salt per hash. This is why you should use it instead of plain MD5/SHA1/SHA512 etc.
1480787668
Hero Member
*
Offline Offline

Posts: 1480787668

View Profile Personal Message (Offline)

Ignore
1480787668
Reply with quote  #2

1480787668
Report to moderator
1480787668
Hero Member
*
Offline Offline

Posts: 1480787668

View Profile Personal Message (Offline)

Ignore
1480787668
Reply with quote  #2

1480787668
Report to moderator
1480787668
Hero Member
*
Offline Offline

Posts: 1480787668

View Profile Personal Message (Offline)

Ignore
1480787668
Reply with quote  #2

1480787668
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480787668
Hero Member
*
Offline Offline

Posts: 1480787668

View Profile Personal Message (Offline)

Ignore
1480787668
Reply with quote  #2

1480787668
Report to moderator
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
June 27, 2011, 11:15:45 AM
 #62

If you've any education you would know what Rainbow tables are and how ridiculous is that statement.
Obviously any algorithm can be stored as pre-computed hashes. Your statement is as ridiculous as to say that if I calc the hash under the same parameters at my computer it will render a different result than if I do it at yours. Yes, salt, if unknown or per-user, will prevent Rainbow Tables, but that's valid for any hashing algorithm.

To the end, how breakable it is relies on computing power, what was good at 386's time is an easy picking today, and within 10 years even your SHA512 1000 or 5000 rounds salted with any flavor may be too. But still... for what's in the market now it is nearly unbreakable.
mrb
Legendary
*
Offline Offline

Activity: 1106


View Profile WWW
June 27, 2011, 11:34:59 AM
 #63

"how ridiculous is that statement"

"Yes, salt, if unknown or per-user, will prevent Rainbow Tables"

Way to contradict yourself! This discussion is now over.
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
June 27, 2011, 11:46:17 AM
 #64

"how ridiculous is that statement"

"Yes, salt, if unknown or per-user, will prevent Rainbow Tables"

Way to contradict yourself! This discussion is now over.

No, you imply that it can't be in a RT because of its "unique salting method", like if two computers would compute a different hash...
However this would be perfectly RT:

crypt("pass","$6$rounds=5000$myeverydaysalt$");

And unknown or per-user salt will prevent RT on every algorithm and not just SHA512
cloud9
Member
**
Offline Offline

Activity: 70


View Profile
June 27, 2011, 12:40:25 PM
 #65

Everyone here knows Bitcoins - and Bitcoins are very, very secure.

Why not (in offline mode) create a new empty wallet.dat

Move it to removable media.

Sign in on a secure computer to your service provider and upload your newly created empty wallet.dat

When you sign in to a secure service provider the following happens VERY, VERY securely:

They spend a SMALL amount of bitcoins to the shared wallet.dat and request you to spend it back (verifying your identity and shared ownership of the wallet.dat)




With current difficulty and network hash power at ~10THash/sec it should take more than a week to brute force attack with the average PC.

Disclaimer:  Postings of Cloud9 are only individual views of opinion and/or musings and/or hypothesisses.  On a non-authoritative, peer-to-peer public forum, you do not need permission from Cloud9 to derive your own conclusions or opinions, so please do.  Calculations and assumptions to be verified.
Pages: « 1 2 3 [4]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!