On Sat, Nov 27, 2010 at 11:47 PM, Christophe Pettus <x...@thebuild.com> wrote: > Actually, no, the situations are really quite asymmetrical. In order to > brute-force a password, an attacker has to be able to try many, many > thousands of combinations per second. To log in a user, an application has > to do it exactly once. A hash computation time of, say, 10ms is probably > unnoticeable in a login situation, unless you have tens of thousands of users > logging in per minute (and if this is the case, then you probably have other > problems than the speed of your password hash algorithm). But that would > pretty much slam the door down on any brute force attempt at a password > recovery.
But how far are you willing to go in your assumption of the worst-case computational ability of your attacker? Would tuning the hash to (say) a 10ms delay for your web server's modest hardware translate into a significant delay for an attacker with far more resources? (This isn't a rhetorical question; I honestly don't know.) > A salt is of no benefit on a brute force attack; it's function is to prevent > dictionary attacks, which are a different animal. It does in fact slow down brute force attacks against multiple encrypted passwords; each password with a different salt is within an entirely different space that needs to be brute forced separately from the other passwords. > And if you are willing to assume that no attacker can ever get access to your > database, then you don't have to hash the password at all. Sure, but my point was that there are various walls you can throw up against attackers to slow them down that don't involve slowing down your hash algorithm. > But, as you point out, that's a separate discussion from the value of > pluggable encryption algorithms. Right; I didn't mean to dissent from (or concur with) that proposal. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
