A very negative article - unduly so for me

Posted Mar 2, 2017 15:29 UTC (Thu) by anarcat (subscriber, #66354)
In reply to: A very negative article - unduly so for me by anarcat
Parent article: The case against password hashers

Actually, I was incorrect: the EFF cracked DES in 56 hours on a single, custom built machine that cost 250 000$. See:

https://en.wikipedia.org/wiki/Data_Encryption_Standard#Ch...
https://en.wikipedia.org/wiki/EFF_DES_cracker

I would posit that no one is bothering to build those for MD5 because it's now known to be vulnerable and not worth the (economic) effort. But if enough people start using password hashers with weak primitives, it will certainly become interesting again.

And before you think that no one started building dedicated SHA256 cracking machines, just think of the Bitcoin network and what those things could do if they would be repurposed to start cracking password hashes... To put things in perspective, the Bitcoin network is currently pushing out about 10^15 hashes per second, or 4 million trillion hashes per second (TH/s). Compare this with GRC's "Massive Cracking Array Scenario" that assumes a whopping one hundred TH/s. While that kind of computing power will probably not be repurposed to attack *your* password in particular, it certainly puts it in the realm of the possibility these days, especially when you start dealing with state actors or well-funded adversaries.

to post comments

A very negative article - unduly so for me

Posted Mar 2, 2017 22:21 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

"I would posit that no one is bothering to build those for MD5 because it's now known to be vulnerable and not worth the (economic) effort. But if enough people start using password hashers with weak primitives, it will certainly become interesting again"

No. Nobody is doing that with MD5 because that would be crazy.

The point of the EFF device is that 56 bits isn't an adequate _key size_. Nothing else about DES matters to that device or to the EFF's purpose in making it. A shiny modern cipher with a 56-bit key would get the same response. DES is actually very, very good considering how old it is, just today we think key sizes should be large enough to resist plausible brute force attacks too, and we meanwhile came up with a bunch of features we really want that DES was never designed to accommodate.

The equivalent "key size" for MD5 (which isn't even the same flavour of algorithm) is 128-bits so a brute force search isn't practical. Yes, MD5 is broken, but the _famous_ breaks of MD5 are collision attacks, which don't help you here (except see the first comment I wrote on this article, not relevant to humans). The best published pre-image attack, the sort we care about here, needs 2^123.4 steps and is thus of course unimplementable in the real world. It cemented MD5's status as obsolete, but it has no practical impact.