Bcrypt for password hashing because it is slow?

前端 未结 4 2256
闹比i
闹比i 2021-02-20 13:54

I read today on not-implemented.com :

Sha-256 should be chosen in most cases where a high speed hash function is desired. It is considered secure with no

相关标签:
4条回答
  • 2021-02-20 14:27

    Brute force a hash password?. It's easy to say than done.

    If the passwords are not using a SALT then it is possible to break it, no matter the kind of encryption (because we could use a dictionary / pre-calculated hash attack).

    The speed of the algorithm means nothing, it's just a myth that some people are spreading for the wrong reasons.

    For example the next example:

    Our hash is generated with the next formula:

     MD5(SALT+MD5(SALT+VALUE))
    

    Even if we could generate every possible combination of md5 in a split of a second, how we know if we found the right value?. And the answer is no, it's not possible. MD5 (or sha) doesn't check if the value is right or not, it simply generates a sequence of values and nothing more.

    We could try a force brute attack if and only if we have a way to determine if our hash generated match some criteria. These criteria could be a dictionary and it means a slow process too and only if we could find some criteria.

    0 讨论(0)
  • 2021-02-20 14:32

    On your side, the password hash needs to be computed rather rarely. But an attacker who tries to brute force a password from a stolen hash, relies on computing as many hashes as possible.

    So, if your login now takes 100 ms instead of 0.1 (probably less) that's not really a problem for you. But it makes a huge difference for an attacker if he needs 2000 days to break a password instead of 2 days.

    bcrypt is designed to be slow and not to allow any shortcut.

    0 讨论(0)
  • 2021-02-20 14:36

    It takes more effort to brute force attack the password. The slower the algorithm, the less guesses can be made per second. The extra time won't be noticed by a user of the system, but will make it harder to crack the password.

    0 讨论(0)
  • 2021-02-20 14:47

    Because if it takes more time to hash the value, it also takes a much longer time to brute-force the password.

    Keep in mind that slow means that it requires more computing power. The same goes for when a potential hacker tries to brute-force a password.

    0 讨论(0)
提交回复
热议问题