1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-11-10 00:12:09 +00:00

Fixed misconception about salting/hashing

Clarify that salting + hashing isn't reversible by a naive brute-force
attack.
This commit is contained in:
Rohan Kumar 2021-01-17 10:12:58 -08:00
parent 56410531fe
commit f22692d836
No known key found for this signature in database
GPG key ID: 1E892DB2A5F84479
2 changed files with 21 additions and 17 deletions

View file

@ -26,18 +26,15 @@ How strong should your password be for it to be safe from a brute-force attack b
### Quantifying password strength.
Note: a previous version of this section wasn't clear and accurate. I've since removed the offending bits and added a clarification about salting/hashing to the "Caveats and estimates" section.
A good measure of password strength is *entropy bits.* The entropy bits in a password is a base-2 logarithm of the number of guesses required to brute-force it.¹
A brute-force attack that executes 2ⁿ guesses is certain to crack a password with n entropy bits, and has a one-in-two chance of cracking a password with n+1 entropy bits.
For scale, AES 256 encryption is currently the industry standard for strong symmetric encryption.
For scale, AES-256 encryption is currently the industry standard for strong symmetric encryption, and uses key lengths of 256-bits. An exhaustive key search over a 256-bit key space would be up against its 2²⁵⁶ possible permutations.
=> https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Advanced Encryption Standard (Wikipedia)
As the name suggests, its keys have 256 bits of entropy. Be aware that AES keys are typically derived from key derivation functions that salt and hash passwords, so a brute-force attack to discover the password from an AES key would be against such a function. Perhaps I could address that in a future article.
=> https://en.wikipedia.org/wiki/Key_derivation_function Key derivation function (Wikipedia)
=> https://en.wikipedia.org/wiki/Salt_(cryptography) Salt (cryptography) (Wikipedia)
=> https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
To calculate the entropy of a password, I recommend using a tool such as zxcvbn or KeePassXC.
@ -58,6 +55,10 @@ If P(n, e) ≥ 1, the MOAC will certainly guess your password before running out
I don't have a strong physics background.
A brute-force attack will just guess a single password until the right one is found. Brute-force attacks won't "decrypt" stored passwords, because they're not supposed to be stored encrypted; they're salted and hashed.
=> https://en.wikipedia.org/wiki/Salt_(cryptography) Salt (cryptography) (Wikipedia)
When estimating, we'll prefer higher estimates that increase the odds of it guessing a password; after all, the point of this exercise is to establish an *upper* limit on password strength. We'll also simplify: for instance, the MOAC will not waste any heat, and the only way it can guess a password is through brute-forcing. Focusing on too many details would defeat the point of this thought experiment.
I won't address any particular encryption algorithms; this is just a pure and simple brute-force attack given precomputed password entropy. Furthermore, quantum computers can use Grover's algorithm for an exponential speed-up; to account for quantum computers using Grover's algorithm, calculate P(n/2, e) instead.
@ -277,7 +278,7 @@ A publication⁵ by Seth Lloyd from MIT further explores limits to computation s
## Acknowledgements
Thanks to Barna Zsombor and Ryan Coyler for helping me over IRC with my shaky physics and pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected my reference to AES-256 encryption by bringing up salts.
Thanks to Barna Zsombor and Ryan Coyler for helping me over IRC with my shaky physics and pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected an incorrect reference to AES-256 encryption by bringing up salts.
My notes from Thermal Physics weren't enough to write this; various Wikipedia articles were also quite helpful, most of which were linked in the body of the article.

View file

@ -59,6 +59,8 @@ MOAC?
### Quantifying password strength.
*A previous version of this section wasn't clear and accurate. I've since removed the offending bits and added a clarification about salting/hashing to the [Caveats and estimates]({{<ref "#caveats-and-estimates" >}}) section.*
A good measure of password strength is **entropy bits.** The entropy bits in a
password is a base-2 logarithm of the number of guesses required to brute-force
it.[^1]
@ -68,13 +70,9 @@ password with *n* entropy bits, and has a one-in-two chance of cracking a passwo
with *n*+1 entropy bits.
For scale, [AES-256](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
encryption is currently the industry standard for strong symmetric encryption. As the
name suggests, its keys have 256 bits of entropy. Be aware that AES keys are
typically derived from [key derivation
functions](https://en.wikipedia.org/wiki/Key_derivation_function) that
[salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) and hash passwords, so a
brute-force attack to discover the password from an AES key would be against such a
function. Perhaps I could address that in a future article.
encryption is currently the industry standard for strong symmetric encryption, and
uses key lengths of 256-bits. An exhaustive key search over a 256-bit key space would
be up against its 2<sup>256</sup> possible permutations.
To calculate the entropy of a password, I recommend using a tool such as
[zxcvbn](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler)
@ -97,6 +95,11 @@ Caveats and estimates
I don't have a strong physics background.
A brute-force attack will just guess a single password until the right one is found.
Brute-force attacks won't "decrypt" stored passwords, because they're not supposed to
be stored encrypted; they're typically
[salted](https://en.wikipedia.org/wiki/Salt_(cryptography)) and hashed.
When estimating, we'll prefer higher estimates that increase the odds of it guessing
a password; after all, the point of this exercise is to establish an *upper* limit on
password strength. We'll also simplify: for instance, the MOAC will not waste any
@ -343,8 +346,8 @@ Acknowledgements
Thanks to [Barna Zsombor](http://bzsombor.web.elte.hu/) and [Ryan
Coyler](https://rcolyer.net/) for helping me over IRC with my shaky physics and
pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected my
reference to AES-256 encryption by bringing up salts.
pointing out the caveats of my approach. u/RisenSteam on Reddit also corrected an
incorrect reference to AES-256 encryption by bringing up salts.
My notes from Thermal Physics weren't enough to write this; various Wikipedia
articles were also quite helpful, most of which were linked in the body of the