From f22692d8364fa0c89f621f09a5acf73cdf278d81 Mon Sep 17 00:00:00 2001 From: Rohan Kumar Date: Sun, 17 Jan 2021 10:12:58 -0800 Subject: [PATCH] Fixed misconception about salting/hashing Clarify that salting + hashing isn't reversible by a naive brute-force attack. --- content/posts/password-strength.gmi | 17 +++++++++-------- content/posts/password-strength.md | 21 ++++++++++++--------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/content/posts/password-strength.gmi b/content/posts/password-strength.gmi index 5ee2ac7..7e971d8 100644 --- a/content/posts/password-strength.gmi +++ b/content/posts/password-strength.gmi @@ -26,18 +26,15 @@ How strong should your password be for it to be safe from a brute-force attack b ### Quantifying password strength. +Note: a previous version of this section wasn't clear and accurate. I've since removed the offending bits and added a clarification about salting/hashing to the "Caveats and estimates" section. + A good measure of password strength is *entropy bits.* The entropy bits in a password is a base-2 logarithm of the number of guesses required to brute-force it.¹ A brute-force attack that executes 2ⁿ guesses is certain to crack a password with n entropy bits, and has a one-in-two chance of cracking a password with n+1 entropy bits. -For scale, AES 256 encryption is currently the industry standard for strong symmetric encryption. +For scale, AES-256 encryption is currently the industry standard for strong symmetric encryption, and uses key lengths of 256-bits. An exhaustive key search over a 256-bit key space would be up against its 2²⁵⁶ possible permutations. -=> https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Advanced Encryption Standard (Wikipedia) - -As the name suggests, its keys have 256 bits of entropy. Be aware that AES keys are typically derived from key derivation functions that salt and hash passwords, so a brute-force attack to discover the password from an AES key would be against such a function. Perhaps I could address that in a future article. - -=> https://en.wikipedia.org/wiki/Key_derivation_function Key derivation function (Wikipedia) -=> https://en.wikipedia.org/wiki/Salt_(cryptography) Salt (cryptography) (Wikipedia) +=> https://en.wikipedia.org/wiki/Advanced_Encryption_Standard To calculate the entropy of a password, I recommend using a tool such as zxcvbn or KeePassXC. @@ -58,6 +55,10 @@ If P(n, e) ≥ 1, the MOAC will certainly guess your password before running out I don't have a strong physics background. +A brute-force attack will just guess a single password until the right one is found. Brute-force attacks won't "decrypt" stored passwords, because they're not supposed to be stored encrypted; they're salted and hashed. + +=> https://en.wikipedia.org/wiki/Salt_(cryptography) Salt (cryptography) (Wikipedia) + When estimating, we'll prefer higher estimates that increase the odds of it guessing a password; after all, the point of this exercise is to establish an *upper* limit on password strength. We'll also simplify: for instance, the MOAC will not waste any heat, and the only way it can guess a password is through brute-forcing. Focusing on too many details would defeat the point of this thought experiment. I won't address any particular encryption algorithms; this is just a pure and simple brute-force attack given precomputed password entropy. Furthermore, quantum computers can use Grover's algorithm for an exponential speed-up; to account for quantum computers using Grover's algorithm, calculate P(n/2, e) instead. @@ -277,7 +278,7 @@ A publication⁵ by Seth Lloyd from MIT further explores limits to computation s ## Acknowledgements -Thanks to Barna Zsombor and Ryan Coyler for helping me over IRC with my shaky physics and pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected my reference to AES-256 encryption by bringing up salts. +Thanks to Barna Zsombor and Ryan Coyler for helping me over IRC with my shaky physics and pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected an incorrect reference to AES-256 encryption by bringing up salts. My notes from Thermal Physics weren't enough to write this; various Wikipedia articles were also quite helpful, most of which were linked in the body of the article. diff --git a/content/posts/password-strength.md b/content/posts/password-strength.md index ef7418e..7a655a9 100644 --- a/content/posts/password-strength.md +++ b/content/posts/password-strength.md @@ -59,6 +59,8 @@ MOAC? ### Quantifying password strength. +*A previous version of this section wasn't clear and accurate. I've since removed the offending bits and added a clarification about salting/hashing to the [Caveats and estimates]({{}}) section.* + A good measure of password strength is **entropy bits.** The entropy bits in a password is a base-2 logarithm of the number of guesses required to brute-force it.[^1] @@ -68,13 +70,9 @@ password with *n* entropy bits, and has a one-in-two chance of cracking a passwo with *n*+1 entropy bits. For scale, [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) -encryption is currently the industry standard for strong symmetric encryption. As the -name suggests, its keys have 256 bits of entropy. Be aware that AES keys are -typically derived from [key derivation -functions](https://en.wikipedia.org/wiki/Key_derivation_function) that -[salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) and hash passwords, so a -brute-force attack to discover the password from an AES key would be against such a -function. Perhaps I could address that in a future article. +encryption is currently the industry standard for strong symmetric encryption, and +uses key lengths of 256-bits. An exhaustive key search over a 256-bit key space would +be up against its 2256 possible permutations. To calculate the entropy of a password, I recommend using a tool such as [zxcvbn](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler) @@ -97,6 +95,11 @@ Caveats and estimates I don't have a strong physics background. +A brute-force attack will just guess a single password until the right one is found. +Brute-force attacks won't "decrypt" stored passwords, because they're not supposed to +be stored encrypted; they're typically +[salted](https://en.wikipedia.org/wiki/Salt_(cryptography)) and hashed. + When estimating, we'll prefer higher estimates that increase the odds of it guessing a password; after all, the point of this exercise is to establish an *upper* limit on password strength. We'll also simplify: for instance, the MOAC will not waste any @@ -343,8 +346,8 @@ Acknowledgements Thanks to [Barna Zsombor](http://bzsombor.web.elte.hu/) and [Ryan Coyler](https://rcolyer.net/) for helping me over IRC with my shaky physics and -pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected my -reference to AES-256 encryption by bringing up salts. +pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected an +incorrect reference to AES-256 encryption by bringing up salts. My notes from Thermal Physics weren't enough to write this; various Wikipedia articles were also quite helpful, most of which were linked in the body of the