[Cryptography] How secure are hashed passwords?

Bill Stewart billstewart at pobox.com
Thu May 22 17:08:50 EDT 2014


>On May 21, 2014, at 8:47 PM, John R. Levine <johnl at iecc.com> wrote:
> > Assuming a reasonably competent implementation of password hashing
> > (which I realize is a leap of faith here), with a strong hash and a
> > large enough salt to make rainbow tables impractical, how much can the
> > bad guys recover from the hashes?

At 07:09 PM 5/21/2014, Jerry Leichter wrote:
>Forget rainbow tables; they're irrelevant for modern attacks.  Pure 
>brute force rules the day,...
>   (At the time, a single AMD Radeon HD7970 GPU could do 8.2 
> GigaHashes/second

eBay has about a billion users, plus or minus an order of magnitude.
If you've got password lists of sizes 1000 trivial, 64K way too easy, 
1 million easy,
then that hardware could find all the way-too-easy passwords in few hours,
and the easy ones in a few days.  They've had a few months.

And anybody who can afford to crack into eBay to steal their password files
can afford lots more hardware than that, or if they can't,
in a day or two they'll be able to order more hardware on eBay,
especially for users who use the same password for Paypal as for eBay.





More information about the cryptography mailing list