Even in the old times, a un*x(-like) system stored passwords using such a hash algorithm and some salt. That these (relatively) weak hashes could be cracked, nowadays, in minutes isn't exactly a secret. With huge tables of pre-calculated hashes ('rainbow tables') and corresponding computational power, a brute-force attack isn't a big deal anymore.
Still, headlines like "passwords have been stolen" are daily notes in tabloids and newspapers.
How hard could it possibly be to safely 'store' passwords? You take the password, send it through a reasonable strong hashing algorithm (like SHA-512), add a little salt, and put those two on alternating rotation for a couple of times (think of thousands). Store this 'twisted' password, and do authentication against this (using the same mechanism). Now, again, is this so hard?
Example (SHA-512, 1000 rotations, salt=2blec4Uhd (usually randomly chosen, and not known):
Password: mysecretReproduce this, if you like, with
$6$rounds=1000$2blec4Uhd$jaD/3BjfbvCzKUH5qZX69ZwS5bWyofUiSSibX/oFzQa5N/pp2WjffQkmosmwSCxKmaIujh3qeE/wDx9brX6rC.
mkpasswd --method=SHA-512 --rounds=1000 --salt=2blec4Uhd mysecreton Linux, for example.
0 comments:
Post a Comment