Password Strength How strong should a password be? -------------------------------------------------------------------------------- Password Strength ================= 5 min read /------------------------------------------------------------------------------\ | Chick3nman 🐔 @Chick3nman512@twitter.com | |------------------------------------------------------------------------------| | PBKDF2-SHA256 with 100100 rounds in @hashcat [L1] will run at 90kH/s on a | | single @NVIDIAGeForce [L2] RTX 4090. Not fast by any means, but also not | | super slower either. You can clear rockyou.txt(14M passwords) in about 2 | | minutes 45 seconds at that speed. RE: @LastPass [L3] | | [L4] 12/22/2022 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Aaron Toponce ⚛️ [I1: debian] @atoponce@fosstodon.org | |------------------------------------------------------------------------------| | On PBKDF2 iterations. | | | | #cryptography [L5] #security [L6] #passwords [L7] | | | | neilmadden.blog/2023/01/09/on-... [L8] | | | | [L9] 1/9/2023 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Sophie Schmieg @sophieschmieg@infosec.exchange | |------------------------------------------------------------------------------| | @atoponce [L10] there is no sane parameters for password hashing that | | provide anything like the security levels expected in modern cryptography. | | | | This! Oh so much this! | | | | If the attacker gets the password hashes you have lost a substantial amount | | of security, and no number of rounds (or even memory hardness) is going to | | make up for it. Using a memory hard slow hash function with a good number of | | rounds is still best practice, but it cannot be the lynchpin of your | | security. | | | | [L11] [L12] 1/9/2023 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Sophie Schmieg @sophieschmieg@infosec.exchange | |------------------------------------------------------------------------------| | @atoponce [L10] my favorite thought experiment on this is the following, | | looking first at Googles login infrastructure there are 2^33 people in the | | world, a reasonable requirement would be for all of them to be able to login | | to your system in a single day. That means the system has enough computing | | power to brute force a 33 bit password in a single day, no matter what | | parameters you choose (as a very much lower bound, since this assumes that | | the login is only computing hashes and none of that actual serving stuff). | | | | Now your system might not literally be Googles login servers, but chances | | are that you dont want to have a system the size of Googles login servers to | | serve only a handful of people either (plus, while brute forcing is lazily | | parallel, the whole point of a slow hash function is to not be | | parallelizable, so those handful people that youre serving with your several | | data centers worth of compute power will likely have to wait hours to | | actually log into their system). | | | | This means that as an absolutely lower bound, you should assume 33 bit | | passwords can always be broken in a day, independent of the hash function | | you use. (And likely much much less time) | | | | [L13] [L12] 1/9/2023 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Aaron Toponce ⚛️ [I1: debian] @atoponce@fosstodon.org | |------------------------------------------------------------------------------| | @sophieschmieg [L14] Thats a clean and simple way to put it. I dig it! | | | | I usually refer them to my GitHub Gist, which hopefully is laid out cleanly, | | but still verbose | | | | gist.github.com/atoponce/a7715... [L15] | | | | [L16] 1/9/2023 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | Cendyne @cendyne@furry.engineer | |------------------------------------------------------------------------------| | #Password [L17] managers like #LastPass [L18] are not being truthful about | | password strength when it comes to passwords you invented to keep everything | | safe inside. | | | | Their #security [L19] #DataBreach [L20] started this conversation and it is | | time to dispel a critical misunderstanding in password security within | | #infosec [L21]. Human passwords are biased. That makes them weaker than any | | mathematical strength formula can predict. | | | | Just like cryptography, biases are used against you online and offline. | | | | cendyne.dev/posts/2023-01-07-p... [L22] | | | | [L23] 1/7/2023 | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | ConsiderMiranda @considermiranda@mastodon.green | |------------------------------------------------------------------------------| | Do your passwords still consist of memorable words and a suffix? | | | | Fascinating read on how to pick better pass phrases, by looking at how they | | are hacked. | | | | schneier.com/blog/archives/201... [L24] | | | | #passwords [L25] #LastPass [L26] #InfoSec [L27] #PasswordManagers [L28] | | | | [L29] 12/29/2022 | \------------------------------------------------------------------------------/ -------------------------------------------------------------------------------- [L1]: https://twitter.com/hashcat [L2]: https://twitter.com/NVIDIAGeForce [L3]: https://twitter.com/LastPass [L4]: https://twitter.com/Chick3nman512/status/1606037277515325448 [L5]: https://fosstodon.org/tags/cryptography [L6]: https://fosstodon.org/tags/security [L7]: https://fosstodon.org/tags/passwords [L8]: https://neilmadden.blog/2023/01/09/on-pbkdf2-iterations/ [L9]: https://fosstodon.org/@atoponce/109660245982189661 [L10]: https://fosstodon.org/@atoponce [L11]: https://infosec.exchange/@sophieschmieg/109660333554042239 [L12]: https://archive.is/v3cOC [L13]: https://infosec.exchange/@sophieschmieg/109660451610891585 [L14]: https://infosec.exchange/@sophieschmieg [L15]: https://gist.github.com/atoponce/a7715930ae6eb7d6b487f2f76b57a68d [L16]: https://fosstodon.org/@atoponce/109660474306785343 [L17]: https://furry.engineer/tags/Password [L18]: https://furry.engineer/tags/LastPass [L19]: https://furry.engineer/tags/security [L20]: https://furry.engineer/tags/DataBreach [L21]: https://furry.engineer/tags/infosec [L22]: https://cendyne.dev/posts/2023-01-07-passwords-are-weaker-than-you- believe.html [L23]: https://furry.engineer/@cendyne/109650417121779996 [L24]: https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html [L25]: https://mastodon.green/tags/passwords [L26]: https://mastodon.green/tags/LastPass [L27]: https://mastodon.green/tags/InfoSec [L28]: https://mastodon.green/tags/PasswordManagers [L29]: https://mastodon.green/@considermiranda/109597685236238071