[ale] OT - New encryption technology using a piece of paper
Michael Trausch
mike at trausch.us
Tue Sep 6 11:41:11 EDT 2011
On 09/06/2011 11:30 AM, Drifter wrote:
> Can't the industry put a halt to brute force attempts at password cracking
> simply by instituting an ever-increasing delay following incorrect
> password input?
It doesn't even need to be ever-increasing; constant is acceptable, so
long as it is built-in.
One reason I don't consider a site to be secure unless there is a KDF
involved that requires at least 0.1 seconds of CPU time per each
password attempt. That means that not only is a password entity
protected over the network by way of brute force, but it is also
protected if the database itself, which stores the key that is derived
from the password (and I should hope, the salt) is ever stolen.
> It shouldn't be necessary to lock folks out after X wrong
> inputs; just increase the delay: 0.1 seconds; 0.2; 0.4;0.8;1.6 . . . . Or
> pick some other increasing variable. One computer may have the ability to
> output a gazillion passwords per second, but if the receiving computer
> won't allow the high speed input, the attempted crack fails.
Whereas a KDF is simple to implement, properly implementing the type of
system that you're talking about without leaking important security
information is next to impossible.
If you key the delay on the username alone, you can leak the fact that
someone has failed logging in (which a cracker can use to create a
denial of service).
If you key the delay on username and IP address, a cracker can use that
to simply use many addresses (which bypasses the delay requirement).
If you key the delay on existing usernames stored in a database table,
you can leak what usernames exist versus what usernames do not exist
(and crackers will use that to their advantage).
A KDF is simpler and far better for the purpose. If you make it take
0.1 seconds per login attempt, you cannot crack a password even if you
have it locally. Not until long after you're dead, anyway.
--- Mike
--
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
--- Carveth Read, “Logic”
More information about the Ale
mailing list