I've been intrested in IT security, cryptoigraphy and password security long time ago, I even made presentation about password security on PerlMova 2010 (sorry, slides in Russian only). So, I was curious, what's new things happened in this area - LinkedIn password hash leak, and Lastfm / Eharmony hash leak shortly after it. In both cases non-salted hashes was used (I'm sorry, but it's totall f*cked up) - LinkedIn uses sha1 and md5 was used in Lastfm! (no hashes was shown in second case, but 95% of all hashes was bruted for 1 year afterb leak).
So, eight characters alphanumeric passwords can't be securely hashed in MD5 - 2 days for total bruteforce on commodity hardware, it's disaster from security point of view.
What we can do? Of course, we need to use special thing for password hashing - bcrypt, scrypt or PBKDF2 - many of them already implemented on many programming languages now.
Also you can see very good presentation from PHDays 2012 conference by also famous security resercher Alexander Peslyak aka Solar Designer - wind up video up to 14:00:00 (sorry, but presentation on Russian only, but you can check slides).
Комментариев нет:
Отправить комментарий