Password strength checkers that take into account Moore's Law? [closed]

烈酒焚心 提交于 2019-12-24 00:53:39

问题


I was going about doing my annual password change on my accounts and tried various sites (microsoft, lastpass, etc) to try out hypothetical passwords. Some sites seem a bit more thorough than other sites in their evaluation of password strength but this made me wonder if any of the sites take into account Moores law. That is, one hears about how "it would take 130,000 years to crack X password" but does that take into account that computers double in speed about every two years?

I'd be really curious to see if these sites take this into account, or if there any sites that someone can suggest that do?


回答1:


None of these calculations really take into account mores law. But let's see if we can show why we don't have to:

Moore's law states that processing power will double every 18 months (not quite, but good enough for our purposes).

So that means what's 130k years today, will be 65k years in 18 months. And 32.5k in 36 months, and so on, and so on.

We can come up with an equation for that!

cost-at-time = cost-today * 0.5 ^ (months / 18)

So plugging in cost today, we can see this nice pretty graph (x is years):

y = 130000 * .5 ^ (x / 1.5)

So, let's see what our cost will be for our 130k year password, in 50 years:

y = 130000 * .5 ^ (50 / 1.5)
y = 130000 * .5 ^ 33.3333
y = 0.000012 years (~6.3 minutes)

That's pretty fast!

How about 10 years?

y = 130000 * .5 ^ (10 / 1.5)
y = 130000 * .5 ^ 15
y = 1279 years

That's still quite strong...

However. It also misses the point of tunable algorithms like bcrypt and scrypt which are designed to be able to defeat Moore's law.

So if you use bcrypt, scrypt or PBKDF2, and keep tuning the cost so that it runs in a constant time, your password that takes 130k years today to crack (estimated), will still take 130k years to crack in 50 years.

Now, of course that doesn't solve the case where an attacker steals the password hash today, and spends the next 50 years attacking it... But I have to ask, what is your password protecting that a crypto-nerd will spend the next 50 years trying to attack it?

via XKCD

来源:https://stackoverflow.com/questions/17234741/password-strength-checkers-that-take-into-account-moores-law

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!