If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Password hashing
Is this method pretty secure for login passwords?
This specifies that SHA512 shall be used for password hashing for user logins. By default, 5000 rounds are used. Thanks, Andy |
Ads |
#2
|
|||
|
|||
Password hashing
Andy wrote:
Is this method pretty secure for login passwords? This specifies that SHA512 shall be used for password hashing for user logins. By default, 5000 rounds are used. Thanks, Andy The passwords are also salted. https://security.stackexchange.com/q...-hashes-really On a Windows box, you can reset the password, and have the user enter a new one. The account is wide open when that happens. Cracking the password, means discovering what the password is, which could leave the account compromised, without the user realizing that someone has broken in. This takes a few days to do with a modern GPU. For simpler password situations, a rainbow table can be used. You can purchase rainbow tables on a BluRay disc (to give you some idea just how huge the tables are), and those can accelerate cracking the password for "simple" passwords. So if your password is "andy" and contains no numbers or punctuation or uppercase or a great length, the rainbox table in theory can find the answer faster than a cracking setup can do it. Or, for the freely available downloadable rainbox tables, you might be able to cry cracking a password, without buying a fancy GPU. The GPU is more likely to succeed in the long run. A Linux distro like Kali, may have a few tools for playing with this stuff. People who do penetration testing, use a box with eight video cards, for password cracking. They test whether they can get into commercial operations (by invitation of the owner). A pen test box doubles as a coin miner, so you can alternate between being a security expert and an Ethereum miner :-) Paul |
#3
|
|||
|
|||
Password hashing
On Sunday, July 15, 2018 at 7:53:12 PM UTC-5, Paul wrote:
Andy wrote: Is this method pretty secure for login passwords? This specifies that SHA512 shall be used for password hashing for user logins. By default, 5000 rounds are used. Thanks, Andy The passwords are also salted. https://security.stackexchange.com/q...-hashes-really On a Windows box, you can reset the password, and have the user enter a new one. The account is wide open when that happens. Cracking the password, means discovering what the password is, which could leave the account compromised, without the user realizing that someone has broken in. This takes a few days to do with a modern GPU. For simpler password situations, a rainbow table can be used. You can purchase rainbow tables on a BluRay disc (to give you some idea just how huge the tables are), and those can accelerate cracking the password for "simple" passwords. So if your password is "andy" and contains no numbers or punctuation or uppercase or a great length, the rainbox table in theory can find the answer faster than a cracking setup can do it. Or, for the freely available downloadable rainbox tables, you might be able to cry cracking a password, without buying a fancy GPU. The GPU is more likely to succeed in the long run. A Linux distro like Kali, may have a few tools for playing with this stuff. People who do penetration testing, use a box with eight video cards, for password cracking. They test whether they can get into commercial operations (by invitation of the owner). A pen test box doubles as a coin miner, so you can alternate between being a security expert and an Ethereum miner :-) Paul Thanks. I use a randomly generated 10 character pw which can contain any variation of characters available. Andy |
#4
|
|||
|
|||
Password hashing
Are you asking the correct question ?
How long is the hash ? 25 characters or ? Do intruders have access to the application to decrypt then message ? If so, it is the password that needs to be long and string. If no access to the encrypt/decrypt app then the hash, almost any hash, will be plenty strong. Basically is is the length of the string used to do the encryption that determines how difficult it will be. Assuming you use upper case + lower case + numerics + symbols in your long password. Each character position of a password has many possibilities: for my keyboard number of alpha upper case = 26 number of alpha lower case = 26 number of symbols = 28 .,/?'";:[{]}=+-_)(*&^%$#@!~` number of digits = 10 Calculate the permutation base on some length of password. If I did this right, for this combination with a 10 character password. combinations roughly = 75,330,543,424,778,800,000,000,000. with 12 combinations roughly = 62,843,752,546,687,400,000,000,000,000,000 now if the hash is considered as being 25 characters then trying to guess the hash: (hash is typically uppercase alpha and digits = 36 possibilities) combinations is roughly = 144,552,334,519,691,000,000,000,000,000,000,000,00 0,000,000,000,000,000,000,000.000 Some mathematician will come along and correct me. |
Thread Tools | |
Display Modes | |
|
|