[wp-hackers] Password Handling Improvements - Trac Ticket #2870
sam at rephrase.net
Wed Sep 26 03:26:30 GMT 2007
On 9/26/07, DD32 <wordpress at dd32.id.au> wrote:
> But whats the hashing speed of MD5 these days? Anything from 50 to 500 hash's a second on todays average hardware can be expected it seems,
Try 500 *thousand*, and that's lowballing it. Also, bear in mind that
brute-forcing hashes is embarrassingly parallel, so it can take
full advantage of your multicore machines, clusters, botnets,
whatever. MD5 is fast, and getting faster.
> The article says that the aim of the game is to make the salt long enough that the string
> is too long to be brute forced, but hold up there, If they're stored together, then you've
> allready got the first 128 characters of the hashed string(the salt), therefor the brute force
> attack is now going to take the same time regardless if the password is stored with a salt
> or not.
You're completely right. The time spent reading Atwood's article would
have been better spent reading the one by Thomas Ptacek that he
selectively quoted from.
The aim of the salt isn't to make *individual* passwords harder to
brute-force; it's to make it take a hundred times longer to crack a
hundred passwords than it does to crack just one. That's all.
The strength of the system lies in making it impractical to
brute-force even one, let alone a hundred. MD5 doesn't give you that.
More information about the wp-hackers