Password encription

Aki Tuomi aki.tuomi at dovecot.fi
Sat Oct 28 01:39:25 EEST 2017


> On October 27, 2017 at 11:27 PM Joseph Tam <jtam.home at gmail.com> wrote:
> 
> 
> Aki Tuomi wrote:
> 
> > The use of salt, today, is to prevent the attacker from directly seeing
> > who has same passwords. Of course it also will make a rainbow table
> > attack less useful,
> 
> Not just less useful, but almost infeasible.  Given the use of random
> salts, you would have to generate (number of possible salts) rainbow
> tables.  This drastically changes the CPU/storage tradeoffs.
> 
> > but then again, no one uses rainbow tables anymore
> > since it takes about few minutes to brute force a password in the cloud
> > or on your home computer GPU. SHA512-CRYPT uses by default 4000 rounds
> > on dovecot, to make it more computationally expensive, but still it's
> > not very strong protection anymore.
> 
> I know it is theoretically possible, but really, how feasible is it?
> The way people talk about it, they make it sound trivial.  As a test,
> I just generated a hash using "doveadm pw".  Any takers?
> 
>  	{SHA512-CRYPT}$6$qyQANQFbQGqOSqHh$Z4YVIe.QakXtWs63lWUmzlseKpiFzfPCKhwM0NQk8jP6QeRmk6POkCdSrFBmVO2wh.dgPCPA7Gq3sNUeKOZLM/
> 

A random article on the internet says it's rather feasible if you want passwords cracked. Of course if the passwords are longer than, say, 8 characters, it becomes less feasible. My point wasn't to say that SHA512 is fully insecure, and adding rounds does make it less so as the expenses rack up. 

https://killtacknine.com/test-driving-google-cloud-gpus-with-hashcat/

It's not available on the graphics (puzzling), but if you look at the gist, it'll show that SHA512-CRYPT is cracked at 247.9 kH/s and MD5-CRYPT (salted MD5) at 17579.7 kH/s. As comparison, straight non-salted SHA512 goes at 1402.7 MH/s and MD5 with no salting at 33677.6 MH/s. For reference, DIGEST-MD5 uses MD5(username:realm:password) as the stored credential, which is pretty much straight MD5 for cracking.

https://gist.github.com/anonymous/1fa176d82af79e879a9efa74c9d1c970

> > MD5 with or without salt can be ATTAcked at passwords per second speed,
> > so using CRAM-MD5 of DIGEST-MD5 is very very poor choice. Anything with
> > MD5 should not be used for passwords these days.
> >
> > With Dovecot 2.3 we are making BLF-CRYPT available on all platforms, and
> > also adding support for ARGON2 when you have libsodium available.
> 
> Straight hashes, without question, are weak.  I routinely break NTLM hashes
> with rainbow tables.  I'm *not* arguing against the use of stronger
> hashes, I'm just skeptical of the FUD surrounding the user of older
> salted hashes.  This is especially true if the hashes are guarded
> against leakage, as most are.  Strong crypt-hashes are an extra layer
> of protection (defense in depth).
> 

Yet these leaks, they seem to occur.

> This page (if you trust 3rd parties) will report whether a password
> was ever found in a breached databases.  You can also download the
> SHA1 hashes of all their known cracked passwords.  It's big -- 5.3Gb
> 7-zipped file.
> 
>  	https://haveibeenpwned.com/Passwords
> 
> "j.emerlik" further asks:
> 
> > You mean that today they using encrypted passwords to seeing
> > who has same passwords using brute force, hashes dictionary attack ?
> 
> They precompute hashes for large number of password candidates, then
> look up hashes in that table.  Rainbow tables are a way of folding large
> tables into a smaller ones, trading off space for extra CPU time.
> 
> However, for hashes that use non-trivial salts, you would need to
> precompute an astronomically large number of tables.  An attacker might
> be better off with a straight CPU-bound brute force search.
> 
> Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list