[tahoe-dev] Idea for a Publish/Subscribe Message System on Tahoe-LAFS
Shawn Willden
shawn at willden.org
Mon Apr 9 01:30:34 UTC 2012
On Sun, Apr 8, 2012 at 5:26 PM, James A. Donald <jamesd at echeque.com> wrote:
> On 2012-04-09 7:13 AM, Shawn Willden wrote:
>
>> I find that strip rather disappointing (even after correcting the URL so
>> it
>> works). Munroe usually does his homework better than that. 44 bits of
>> entropy really isn't very much these days, and his estimate of 550 years
>> to
>> guess assumes a 1000 passwords per second testing rate, which is at least
>> three orders of magnitude too low -- for a single CPU.
>>
>
> Not so: Rather, two orders of magnitude too high.
>
> Normally, in systems potentially subject to offline attack, the programmer
> has a slow and elaborate system for deriving the key from the passphrase.
>
In well-designed systems, yes, hashes are iterated to increase the effort.
I've seen an awful lot of password hashes that are a pure SHA1 hash (or
worse). A surprising number aren't even salted. The mobile revolution is
also creating a situation where the performance difference between common
devices and servers is wider than it has ever been, too.
--
Shawn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20120408/685923b7/attachment-0001.html>
More information about the tahoe-dev
mailing list