Enhancing password protection

[PeterUK]

A top-of-the-line modern GPU can calculate something like 200 million hashes per second.

Actually a GPU on the low end of the high end (if that makes sense, like a GTX 560) can calculate 1.5-2 billion MD5s per second.

Amazon's setup with multiple GPUs or using a bunch of really high end GPUs like HD5970s yourself, you can top 25 billion hashes per second. This is why it's so problematic, because your average user uses nowhere near a 14 character password.

On this forum, the majority of us are administrators of our communities, we're not bothered about *our* passwords being cracked because chances are, we use decent passwords, we're worried about our users' passwords should the worst happen and the hashes get exposed. You can force your users to use complex passwords if you want but you can also expect to see new registrations fall.

Other topic loads just fine for me.

http://community.inv...orums-attacked/

That one? What forum is it posted in?

[Wolfie]

The upshot: if you use a long password and it's salted in the DB, it is NOT going to get brute-forced. Period.

I find it difficult to believe what someone says when their understanding (or at least your wording) of probabilities is flawed at best.

http://community.inv...orums-attacked/

That one? What forum is it posted in?

Client Lounge

[PeterUK]

Oh, I don't have Client Lounge because this account is a secondary contact. My other account the support has expired so I don't have it there either. :P

[eGullet]

Amazon's setup with multiple GPUs or using a bunch of really high end GPUs like HD5970s yourself, you can top 25 billion hashes per second. This is why it's so problematic, because your average user uses nowhere near a 14 character password.

OK, my figures are from 2009, so let's use yours: 95^14 possible passwords, two MD5sums per, on average you have to test half of them. 25 billion MD5s per second. 2.4e27 MD5s to calculate, at a rate of 2.5e10 per second gives 1.95e17 seconds. You're still talking billions of years. Again, what this all boils down to is that the single most effective way of preventing brute-forcing of a password is to make it longer.

[PeterUK]

[color=#282828][font=helvetica, arial, sans-serif]Again, what this all boils down to is that the single most effective way of preventing brute-forcing of a password is to make it longer.[/font][/color]

Again, I think you missed the point of my post. We're all well aware of that, but currently, forcing users to do this isn't a popular option and so people will be people and they will continue to use weak passwords. We need a solution for the users who choose to do that to help protect them. And I'm sure you're thinking, "users who use weak passwords get what they deserve", but regardless of that, if your community gets breached, it's already bad enough publicity, but then when a user gets their password cracked, even if it was weak, they still hold you responsible in their eyes.

[Cyrem]

I've been using IPB for a few years, well I had it installed, but it's been idle, just never had the time to 'use' it, but each install has been hacked within a few months. Just tonight I had to do a complete wipe and re-install, this is the 3rd time.

You must be setting your password to "a" or have very poor server security. I suggest changing all your hosting passwords.

Most hacks are not done through the front end.