Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt November 11, 2024
PeterUK Posted July 20, 2012 Posted July 20, 2012 A top-of-the-line modern GPU can calculate something like 200 million hashes per second. Actually a GPU on the low end of the high end (if that makes sense, like a GTX 560) can calculate 1.5-2 billion MD5s per second. Amazon's setup with multiple GPUs or using a bunch of really high end GPUs like HD5970s yourself, you can top 25 billion hashes per second. This is why it's so problematic, because your average user uses nowhere near a 14 character password. On this forum, the majority of us are administrators of our communities, we're not bothered about *our* passwords being cracked because chances are, we use decent passwords, we're worried about our users' passwords should the worst happen and the hashes get exposed. You can force your users to use complex passwords if you want but you can also expect to see new registrations fall. Other topic loads just fine for me.http://community.inv...orums-attacked/ That one? What forum is it posted in?
Wolfie Posted July 20, 2012 Author Posted July 20, 2012 The upshot: if you use a long password and it's salted in the DB, it is NOT going to get brute-forced. Period. I find it difficult to believe what someone says when their understanding (or at least your wording) of probabilities is flawed at best. http://community.inv...orums-attacked/ That one? What forum is it posted in? Client Lounge
PeterUK Posted July 20, 2012 Posted July 20, 2012 Oh, I don't have Client Lounge because this account is a secondary contact. My other account the support has expired so I don't have it there either. :P
eGullet Posted July 20, 2012 Posted July 20, 2012 Amazon's setup with multiple GPUs or using a bunch of really high end GPUs like HD5970s yourself, you can top 25 billion hashes per second. This is why it's so problematic, because your average user uses nowhere near a 14 character password. OK, my figures are from 2009, so let's use yours: 95^14 possible passwords, two MD5sums per, on average you have to test half of them. 25 billion MD5s per second. 2.4e27 MD5s to calculate, at a rate of 2.5e10 per second gives 1.95e17 seconds. You're still talking billions of years. Again, what this all boils down to is that the single most effective way of preventing brute-forcing of a password is to make it longer.
PeterUK Posted July 21, 2012 Posted July 21, 2012 [color=#282828][font=helvetica, arial, sans-serif]Again, what this all boils down to is that the single most effective way of preventing brute-forcing of a password is to make it longer.[/font][/color] Again, I think you missed the point of my post. We're all well aware of that, but currently, forcing users to do this isn't a popular option and so people will be people and they will continue to use weak passwords. We need a solution for the users who choose to do that to help protect them. And I'm sure you're thinking, "users who use weak passwords get what they deserve", but regardless of that, if your community gets breached, it's already bad enough publicity, but then when a user gets their password cracked, even if it was weak, they still hold you responsible in their eyes.
Cyrem Posted July 21, 2012 Posted July 21, 2012 I've been using IPB for a few years, well I had it installed, but it's been idle, just never had the time to 'use' it, but each install has been hacked within a few months. Just tonight I had to do a complete wipe and re-install, this is the 3rd time. You must be setting your password to "a" or have very poor server security. I suggest changing all your hosting passwords. Most hacks are not done through the front end.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.