Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

Algorithm Secrecy is not Security Expand / Collapse
Author
Message
Posted Tuesday, March 19, 2013 8:17 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Monday, September 15, 2014 11:09 AM
Points: 869, Visits: 2,399
umailedit (3/19/2013)
Not so many with SHA-1 or one of the SHA-2 family with 100 rounds, either. You're not arguing for encryption vs. hashing, you're arguing for enough rounds to take more time vs. not enough rounds (say, 1).


I am arguing for one way encryption rather than hashing. Hashing functions are ridiculously fast. even with a hundred rounds you can try 10000 passwords per second as shown by the following sample php I wrote for you.


Then run 100,000,000 rounds; the actual number is completely irrelevant. Run as many rounds of whatever you choose as you need to in order to meet your requirements. N rounds is still at least N times slower than 1 round.

If you really want to make it take longer to crack your passwords, do as many rounds as you can on hardware as close to the optimum cracking hardware as is practical - if that's GPU's, then ideally use GPU's (or NVIDIA Tesla cards - not as fast as the fastest consumer GPU's, but warrantied for a production duty cycle, which is important - and major server manufacturers will put them under the same mission critical warranty as the rest of the server). If you need CPU's with AES-NI instructions, then make sure you're using such.
Post #1432675
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse