[Cryptography] Securing cryptocurrencies

grarpamp grarpamp at gmail.com
Thu Mar 12 02:07:30 EDT 2015


On Wed, Mar 11, 2015 at 6:30 PM, Bill Cox <waywardgeek at gmail.com> wrote:
>>     Is SHA256 broken?
>
> BitCoin has also shown that the typical PBKDF2-SHA256(1000) is essentially
> broken.  About 1/2-ish of all user passwords are likely to be in an
> attacker's 5-million-ish entry dictionary.  See 10-million-combos.zip - over
> 2.5 million of the first 5 million users' passwords occur in the second 5
> million.  These passwords can be brute-force guessed by ASICs in about 2.5
> million guesses, where the guessing hardware costs $1 per 1 billion SHA256
> per second.  An average password in the dictionary is broken in 5 seconds
> (two SHA-256 calls per guess) on $1 worth of hardware, assuming the attacker
> has bought enough of them to get to the economy of scale that the BitCoin
> miners have achieved.
>
> We didn't know this before BitCoin.  I did some back-of-the-envelop
> calculations, but never guessed ASIC attacks could be this brutal.

ASIC's are indeed a bitch against common human nature.
Yet SHA-256 and ASIC's or not, we need to remember that breaking
that nature takes only 40 random ascii chars to preclude 2^256 exhaustion
(or 50% odds from 2^128). So all other things robust, simply genning
and writing that string down and storing it properly offline is sufficient
protection. Some might even accept char counts of 25 (50%@80bit),
or 20 (50%@64bit), or 10 (for 1B ops/s per human lifespan), or less depending
on application. Even 8 (50%@26bit) for memory's sake (67M guesses
against an internet facing web app is rather difficult to succeed without
drawing admin attention). Suffice to say that 15 chars seems to have
you pretty well covered for life against a billion bitcoin calculators.
In this context, the repeated password threads get old very quickly.


More information about the cryptography mailing list