Password encription

Joseph Tam jtam.home at gmail.com
Fri Oct 27 23:27:05 EEST 2017


Aki Tuomi wrote:

> The use of salt, today, is to prevent the attacker from directly seeing
> who has same passwords. Of course it also will make a rainbow table
> attack less useful,

Not just less useful, but almost infeasible.  Given the use of random
salts, you would have to generate (number of possible salts) rainbow
tables.  This drastically changes the CPU/storage tradeoffs.

> but then again, no one uses rainbow tables anymore
> since it takes about few minutes to brute force a password in the cloud
> or on your home computer GPU. SHA512-CRYPT uses by default 4000 rounds
> on dovecot, to make it more computationally expensive, but still it's
> not very strong protection anymore.

I know it is theoretically possible, but really, how feasible is it?
The way people talk about it, they make it sound trivial.  As a test,
I just generated a hash using "doveadm pw".  Any takers?

 	{SHA512-CRYPT}$6$qyQANQFbQGqOSqHh$Z4YVIe.QakXtWs63lWUmzlseKpiFzfPCKhwM0NQk8jP6QeRmk6POkCdSrFBmVO2wh.dgPCPA7Gq3sNUeKOZLM/

> MD5 with or without salt can be ATTAcked at passwords per second speed,
> so using CRAM-MD5 of DIGEST-MD5 is very very poor choice. Anything with
> MD5 should not be used for passwords these days.
>
> With Dovecot 2.3 we are making BLF-CRYPT available on all platforms, and
> also adding support for ARGON2 when you have libsodium available.

Straight hashes, without question, are weak.  I routinely break NTLM hashes
with rainbow tables.  I'm *not* arguing against the use of stronger
hashes, I'm just skeptical of the FUD surrounding the user of older
salted hashes.  This is especially true if the hashes are guarded
against leakage, as most are.  Strong crypt-hashes are an extra layer
of protection (defense in depth).

This page (if you trust 3rd parties) will report whether a password
was ever found in a breached databases.  You can also download the
SHA1 hashes of all their known cracked passwords.  It's big -- 5.3Gb
7-zipped file.

 	https://haveibeenpwned.com/Passwords

"j.emerlik" further asks:

> You mean that today they using encrypted passwords to seeing
> who has same passwords using brute force, hashes dictionary attack ?

They precompute hashes for large number of password candidates, then
look up hashes in that table.  Rainbow tables are a way of folding large
tables into a smaller ones, trading off space for extra CPU time.

However, for hashes that use non-trivial salts, you would need to
precompute an astronomically large number of tables.  An attacker might
be better off with a straight CPU-bound brute force search.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list