Login

simonm · 03-09-13, 07:43 PM

(03-09-13, 07:30 PM)Farjo link Wrote: [quote author=goldfazer link=topic=9631.msg98267#msg98267 date=1378059379]
Can the login passwords not be encrypted?

That's web security for dummies stuff!!

Yes they're encrypted, however this is whar I've read elsewhere:
"Yes, they are encrypted. Unfortunately it's possible to brute force with about 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap...less/13125"
[/quote]
MD5 and SHA are designed to be processed quickly. That's why they're not good for storing passwords as brute force attacks get a quick response. The way around it is to make the processing slow because passwords don't need to be decrypted quickly. That's where Bcrypt comes in.

https://en.wikipedia.org/wiki/Bcrypt

Farjo · 03-09-13, 07:46 PM

The danger is that someone who has stolen the database can then use brute force to obtain the user passwords, rather than attempt it on the live site which would swamp the log files.

simonm · 03-09-13, 08:12 PM

(03-09-13, 07:46 PM)Farjo link Wrote: The danger is that someone who has stolen the database can then use brute force to obtain the user passwords, rather than attempt it on the live site which would swamp the log files.

If someone stole the database and it was encrypted with Bcrypt then they could get a password in 12 years or so depending on configuration.

"[color=rgb(34, 34, 34)]So we’re talking about [/color][color=rgb(34, 34, 34)][/size]5 or so orders of magnitude[/color][color=rgb(34, 34, 34)][/size]. Instead of cracking a password every 40 seconds, I’d be cracking them every [/color][color=rgb(34, 34, 34)][/size]12 years[/color][color=rgb(34, 34, 34)][/size] or so"[/color]

Farjo · 03-09-13, 08:47 PM

Search the SMF site for bcrypt - you may understand what you find!

Login
Username:
Password:	Lost Password?
	Remember me