Secure Password Storage. Raspberry Pi Powered NTP Server. Joshua Small https://github.com/technion/lhnskey - Root password generator for CVE-2013-2352. https:// lolware.net/cw.html – Connectwise Password “Encryption” Broken [email protected] - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Secure Password StorageJOSHUA SMALLHTTPS://GITHUB.COM/TECHNION/LHNSKEY - ROOT PASSWORD GENERATOR FOR CVE-2013-2352.
Lastpass and similar apps Unique passwords everywhere! Uptake from users: very low
Hash Algorithms!
MD5: Officially Broken! Do not want! SHA1: Published 1995, theoretical attack: 2^61 SHA256: Brute force at 2^128 This would make SHA256 completely secure for
our purposes, for completely random input But passwords are not random
Key space
One byte stores eight bit of data But only 96 ASCII characters are printable That leaves roughly 6.5 bits of entropy per byte Average password is 6 characters long That’s only 39 bits of brute force - feasible
Improvements
Stretching: Literally “perform the hash x times” Salt: incorporate a random string. This prevents
“rainbow tables”, ie a big database of precomputed hash values
SHA512crypt
Literally applies the principles of “stretching” and “salting” to SHA512
Default in several current Linux distributions for passwords in /etc/shadow
Developed by Colin Percival, presented May 2009 Designed to offer significantly lower advantages to
GPU and ASIC devices Uses a hard to optimise hash function Is not only computationally hard- but memory hard Original paper:
http://www.tarsnap.com/scrypt/scrypt.pdf Used in Dogecoin Dogecoin ASICS pushing 70KHash/s a big deal! Increasing difficulty doesn’t just slow things down, it